-1

Say, I have a server (CentOS 7) where currently I'm the only user, and have SSH key based authentication set up, it works perfectly. But what if I want to add more users (not many, say, 5 more) to the server and want to disable password-based authentication and enable key-based auth. for them, too?

Can I generate the key-pairs for them or they have to do it for themselves? If the former, how? I'm only familiar with generating the keys for myself.

Many thanks for all ideas!

1 Answers1

4

Of course you can generate the keys for the users and give them the private keys - after all, OpenSSH doesn't know who actually generated the keys.

Technically, there is no difference at all between generating a key for yourself and generating it for another person - you just generate a pair of key files, add the public one to the users ~/.ssh/authorized_keys file and that's it. 

ssh-keygen -f <username>

will generate a pair of files named <username> and <username>.pub with the private and public key.

However, doing all this beats the purpose of key-based auth as you are now also in possession of the users private keys, which should never happen.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • Thank you, this was really helpful! So after all the users should generate the keys for themselves, keeping the public keys in ther respective home (and .ssh) folders? –  Apr 16 '17 at 13:14
  • For key based auth to work, a copy of the key must be saved in the file ~/.ssh/authorized_keys - just storing it in the home directory is not sufficient. – Sven Apr 16 '17 at 13:16
  • That's what I thought (I've been using key-based auth for years but have no experience it making it work for other users but me). So how would this work? They have the keys generated, keeping it in the right folder. Can they use 'ssh-copy-id' or I'd have to do it for them as the root user? –  Apr 16 '17 at 13:22
  • If you completely disallow password-based login, you need to do this as root, as `ssh-copy-id` won't work with a password. If you allow both key-based and password-based login, users can use `ssh-copy-id` or similar methods. – Sven Apr 16 '17 at 13:24
  • One last question, if I may: when they're done with generating the key pairs, should they use 'ssh-copy-id' to copy the key to their own '~/.ssh/authorized_keys' file or to one central file that handles all that? –  Apr 16 '17 at 13:35
  • 1
    It needs to be `~/.ssh/authorized_keys` for the respective user. – Sven Apr 16 '17 at 14:49
  • How about for a single user account on the remote server, that multiple users want to SSH into remotely? Say two more developers want to SSH into the server and they need to use their own public/private keys? Will that work if they generate their own pairs and I add each developer's public key into `~/.ssh/authorized_keys`? – Web User Feb 22 '18 at 19:28
  • 1
    @WebUser: Yes, this should work. – Sven Feb 22 '18 at 19:49