...making Linux just a little more fun!
Thomas Bonham [thomasbonham at bonhamlinux.org]
Anyone know of a way to have multiple ssh authorized_keys files for host key authentication for different users. I am familiar with the usual practice of echoing all of the users keys into authorized_keys file but I am thinking in terms of if I have to revoke keys and disable user access. What I would like to do is have a setup similar to apache in that it can have files included in the conf directory. So this way I have a user name or identifying indicator of whose key is whose so I can revoke access as the necessity arises.
Thank you for all of your help.
Thomas
Ben Okopnik [ben at linuxgazette.net]
On Mon, Mar 03, 2008 at 05:33:30PM -0700, Thomas Bonham wrote:
> Anyone know of a way to have multiple ssh authorized_keys files for > host key authentication for different users. I am familiar with the > usual practice of echoing all of the users keys into authorized_keys > file but I am thinking in terms of if I have to revoke keys and > disable user access.
If that's the only thing you're missing, that seems like it would be a simple fix:
sed -i '/ user@host$/d' ~/.ssh/authorized_keys
The space and the '$' on the end simply ensure that it's that specific user that gets axed.
> What I would like to do is have a setup similar > to apache in that it can have files included in the conf directory. So > this way I have a user name or identifying indicator of whose key is > whose so I can revoke access as the necessity arises.
I don't know of any method that's internal to SSH, but you could certainly set up an external resource that pairs the added keys with any identifying info you want, then allows you to manipulate them by that info. Conversely, you could use a config file - e.g., something similar to the Apache "include" format - that you would "compile" with some sort of a script to produce an ~/.ssh/authorized_keys instead of editing it directly.
Either approach would take a little coding, but - that's left as an
exercise for the individual student. 
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Mon, 03 Mar 2008, Thomas Bonham wrote:
> Anyone know of a way to have multiple ssh authorized_keys files for > host key authentication for different users.
As far as I can make out from "man sshd_config" this is not an option.
> this way I have a user name or identifying indicator of whose key is > whose so I can revoke access as the necessity arises.
Note that the general entry for the authorized keys file looks like:
options type key comment The options are optional(!). The type is ssh-rsa or ssh-dsa (usually). The key is, well, the public-key. The comment is entirely up to you.
What I would do is give a comment which would tag the key. So you could put some unique identifier for the user as a comment. Then to revoke a key you only need to do:
grep -v 'unique-id' .ssh/authorized_keys > .ssh/authorized_keys.new mv .ssh/authorized_keys .ssh/authorized_keys.old mv .ssh/authorized_keys.new .ssh/authorized_keys
Regards,
Kapil. --
Kapil Hari Paranjape [kapil at imsc.res.in]
Hello,
On Mon, 03 Mar 2008, Ben Okopnik wrote:
> The space and the '$' on the end simply ensure that it's that specific > user that gets axed.
And he is right (as usual!).
On Tue, 04 Mar 2008, Kapil Hari Paranjape wrote:
> Then to revoke a key you only need to do: > grep -v 'unique-id' .ssh/authorized_keys > .ssh/authorized_keys.new
So that should be:
grep -v ' unique-id$' .ssh/authorized_keys > .ssh/authorized_keys.new
so that you only find the unique-id at the end of the line (just in case the unique-id was not unique enough not to appear inside the earlier fields!).
Regards,
Kapil. --
Ben Okopnik [ben at linuxgazette.net]
On Tue, Mar 04, 2008 at 09:05:41AM +0530, Kapil Hari Paranjape wrote:
> Hello, > > > On Mon, 03 Mar 2008, Ben Okopnik wrote: > > The space and the '$' on the end simply ensure that it's that specific > > user that gets axed. > > And he is right (as usual!).
That's putting a whole lot of faith in my SWAGs...
> On Tue, 04 Mar 2008, Kapil Hari Paranjape wrote: > > Then to revoke a key you only need to do: > > grep -v 'unique-id' .ssh/authorized_keys > .ssh/authorized_keys.new > > So that should be: > > grep -v ' unique-id$' .ssh/authorized_keys > .ssh/authorized_keys.new > > so that you only find the unique-id at the end of the line (just in > case the unique-id was not unique enough not to appear inside the > earlier fields!).
The nice part of that 'sed -i' command is that it actually modifies the file 'in-place' - there's no need to redirect or move anything.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Thomas Bonham [thomasbonham at bonhamlinux.org]
Thank you everyone for your help. I'm currently writing two version one in C and another in Perl I will share them both when I get them done.
Thanks, Thomas