Tux

...making Linux just a little more fun!

Multiple Authorized Keys

Thomas Bonham [thomasbonham at bonhamlinux.org]


Mon, 3 Mar 2008 17:33:30 -0700

Anyone know of a way to have multiple ssh authorized_keys files for host key authentication for different users. I am familiar with the usual practice of echoing all of the users keys into authorized_keys file but I am thinking in terms of if I have to revoke keys and disable user access. What I would like to do is have a setup similar to apache in that it can have files included in the conf directory. So this way I have a user name or identifying indicator of whose key is whose so I can revoke access as the necessity arises.

Thank you for all of your help.

Thomas


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Mon, 3 Mar 2008 22:04:26 -0500

On Mon, Mar 03, 2008 at 05:33:30PM -0700, Thomas Bonham wrote:

> Anyone know of a way to have multiple ssh authorized_keys files for  
> host key authentication for different users. I am familiar with the  
> usual practice of echoing all of the users keys into authorized_keys  
> file but I am thinking in terms of if I have to revoke keys and  
> disable user access. 

If that's the only thing you're missing, that seems like it would be a simple fix:

sed -i '/ user@host$/d' ~/.ssh/authorized_keys

The space and the '$' on the end simply ensure that it's that specific user that gets axed.

> What I would like to do is have a setup similar  
> to apache in that it can have files included in the conf directory. So  
> this way I have a user name or identifying indicator of whose key is  
> whose so I can revoke access as the necessity arises.

I don't know of any method that's internal to SSH, but you could certainly set up an external resource that pairs the added keys with any identifying info you want, then allows you to manipulate them by that info. Conversely, you could use a config file - e.g., something similar to the Apache "include" format - that you would "compile" with some sort of a script to produce an ~/.ssh/authorized_keys instead of editing it directly.

Either approach would take a little coding, but - that's left as an exercise for the individual student. :)

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Tue, 4 Mar 2008 09:00:49 +0530

Hello,

On Mon, 03 Mar 2008, Thomas Bonham wrote:

> Anyone know of a way to have multiple ssh authorized_keys files for  
> host key authentication for different users.

As far as I can make out from "man sshd_config" this is not an option.

> this way I have a user name or identifying indicator of whose key is  
> whose so I can revoke access as the necessity arises.

Note that the general entry for the authorized keys file looks like:

	options type key comment
 
The options are optional(!).
The type is ssh-rsa or ssh-dsa (usually).
The key is, well, the public-key.
The comment is entirely up to you.

What I would do is give a comment which would tag the key. So you could put some unique identifier for the user as a comment. Then to revoke a key you only need to do:

	grep -v 'unique-id' .ssh/authorized_keys > .ssh/authorized_keys.new
	mv .ssh/authorized_keys .ssh/authorized_keys.old
	mv .ssh/authorized_keys.new .ssh/authorized_keys

Regards,

Kapil. --


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Tue, 4 Mar 2008 09:05:41 +0530

Hello,

On Mon, 03 Mar 2008, Ben Okopnik wrote:

> The space and the '$' on the end simply ensure that it's that specific
> user that gets axed.

And he is right (as usual!).

On Tue, 04 Mar 2008, Kapil Hari Paranjape wrote:

> Then to revoke a key you only need to do:
> 	grep -v 'unique-id' .ssh/authorized_keys > .ssh/authorized_keys.new

So that should be:

 	grep -v ' unique-id$' .ssh/authorized_keys > .ssh/authorized_keys.new

so that you only find the unique-id at the end of the line (just in case the unique-id was not unique enough not to appear inside the earlier fields!).

Regards,

Kapil. --


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Mon, 3 Mar 2008 23:19:26 -0500

On Tue, Mar 04, 2008 at 09:05:41AM +0530, Kapil Hari Paranjape wrote:

> Hello,
> 
> 
> On Mon, 03 Mar 2008, Ben Okopnik wrote:
> > The space and the '$' on the end simply ensure that it's that specific
> > user that gets axed.
> 
> And he is right (as usual!). 

That's putting a whole lot of faith in my SWAGs... :)

> On Tue, 04 Mar 2008, Kapil Hari Paranjape wrote:
> > Then to revoke a key you only need to do:
> > 	grep -v 'unique-id' .ssh/authorized_keys > .ssh/authorized_keys.new
> 
> So that should be:
> 
>  	grep -v ' unique-id$' .ssh/authorized_keys > .ssh/authorized_keys.new
> 
> so that you only find the unique-id at the end of the line (just in
> case the unique-id was not unique enough not to appear inside the
> earlier fields!).

The nice part of that 'sed -i' command is that it actually modifies the file 'in-place' - there's no need to redirect or move anything.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Thomas Bonham [thomasbonham at bonhamlinux.org]


Tue, 4 Mar 2008 23:38:05 -0700

Thank you everyone for your help. I'm currently writing two version one in C and another in Perl I will share them both when I get them done.

Thanks, Thomas


Top    Back