System-wide authorized_keys

Question

SSH auth by RSA-key: ~/.ssh/authorized_keys. Okay.

Is there a way to set a system-wide authorized key so I can login to any account, including the newly created ones?

The reason: i've got a server and am the only admin. User accounts are used to isolate web-sites from each other just in case any of them is hacked.

I use SFTP and create new accounts often, thus, i'm tired of copying ~/.ssh/authorized_keys :)

score 7 · Accepted Answer · answered Nov 11 '11 at 20:48

7

To login to ANY account?

As an administrator, it should be sufficient for you to login as yourself, and then sudo to the account, but ONLY if necessary.

This approach is a serious security issue, as if that single key that you have for all accounts is stolen, then your system is fully compromised.

I feel there are ethical considerations as you are not identifying yourself in any way that you are acting for the owner. Files might be personal. If one is not all that ethical, one could send emails as the account owner and it would not be traceable.

answered Nov 11 '11 at 20:48

mdpc

11,856
28
53
67

1

+1, There is no reason you need to do this, log on as yourself and sudo su to another user. This causes all sorts of problems for auditing logs. – Pratik Amin Nov 11 '11 at 21:03
Added "the reason" to the question. However, +1 in general case – kolypto Nov 11 '11 at 21:11
Okay, then, how to SFTP-acess every account? `cp`? – kolypto Nov 12 '11 at 00:04

score 4 · Answer 2 · answered Dec 10 '21 at 07:08

Yes this is a generally bad idea to do because of security or ethical or organizational reasons but it is quite do-able by only modifying configuration files. The sshd_config(5) manpage has this to say about the AuthorizedKeysFile option:

 AuthorizedKeysFile
         Specifies the file that contains the public keys used for user
         authentication.  The format is described in the AUTHORIZED_KEYS
         FILE FORMAT section of sshd(8).  Arguments to AuthorizedKeysFile
         accept the tokens described in the TOKENS section.  After expan‐
         sion, AuthorizedKeysFile is taken to be an absolute path or one
         relative to the user's home directory.  Multiple files may be
         listed, separated by whitespace.  Alternately this option may be
         set to none to skip checking for user keys in files.  The default
         is ".ssh/authorized_keys .ssh/authorized_keys2".

So all you have to do is set a line like this at the bottom of your /etc/ssh/sshd_config:

AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /usr/local/etc/universal_authorized_keys

And then populate the /usr/local/etc/universal_authorized_keys file with your personal SSH key(s) either manually or through some configuration management. You will have to restart sshd, of course.

score 4 · Answer 3 · edited Nov 12 '11 at 02:04

4

On most Linux systems, the /etc/skel directory is used to populate the home directory of any new account. If you add a .ssh directory with your authorized_keys file to /etc/skel then you will be able to login to any new account.

For existing accounts, you can write a script to add your key to all of the authorized_keys files on the system.

edited Nov 12 '11 at 02:04

quanta

51,413
19
159
217

answered Nov 11 '11 at 20:33

amcnabb

647
5
12

1

The critical failure points here are that (a) one day you may need to change the "system-wide" key, and (b) there's no way to stop users from simply removing it. Trying to manage this sets you up for an administrative nightmare... – voretaq7 Nov 11 '11 at 22:20
use symlinks or hard links if you are on the same partition... – Philippe Gachoud Jul 02 '20 at 11:15

System-wide authorized_keys

3 Answers3