PeterHarding at 05:23, 4 February 2009

2009-02-04T05:23:06Z

← Older revision		Revision as of 15:23, 4 February 2009
Line 53:		Line 53:
	private key and can access Sudo or whatever else may require an actual		private key and can access Sudo or whatever else may require an actual
	system password for authentication.		system password for authentication.

			[[category:OpenSSL]]
			[[Category:Network]]

PeterHarding: New page: = Set up user accounts quickly and securely = == Vincent Danen, TechRepublic == When you need to set up a user account to give a user shell access to the system, the only logical choice o...

2007-12-12T02:33:07Z

New page: = Set up user accounts quickly and securely = == Vincent Danen, TechRepublic == When you need to set up a user account to give a user shell access to the system, the only logical choice o...

New page

= Set up user accounts quickly and securely =
== Vincent Danen, TechRepublic ==

When you need to set up a user account to give a user shell access to the
system, the only logical choice of login tool is OpenSSH. With SSH keys,
all you need from the user is his SSH public key, and all he needs from
you is the IP address or hostname with which to log in. Usually, this is
sufficient.

In some cases, the user may need to know what his own password is. If he
needs to use Sudo, he will need to authenticate with a password. Ideally,
this information would be given via phone or encrypted e-mail, but more
often than not, the password itself is handed out via plain-text e-mail.

The ideal situation would be to create the user account, obtain the user's
public SSH key (which can be sent unencrypted as it does an attacker no
good in and of itself), and generate a random password for the user to
change once he logs into the system. This is all easily accomplished.

For the user, this is very easy. To create the private/public keypair,
simply execute:

$ ssh-keygen -t dsa

You would then have him send the ~/.ssh/id_dsa.pub file. Server-side,
things become more interesting, but certainly not difficult. First, you
create the user account:

# useradd -c "Joe User" -s /bin/bash -m joe
# openssl rand -base64 6 | tee -a ~joe/.password | passwd -stdin joe

This will create the user joe, assign it a random password, and store the
same password in ~joe/.password, where joe will be able to see it.

If you lock down accounts via /etc/ssh/sshd_config, remember to allow joe
access to the system by adding:

AllowUsers joe

Also, ensure that PasswordAuthentication is set to no as well, to force
all logins to use public keys.

Finally, be sure to copy the id_dsa.pub key to the user's home directory
and give appropriate ownership and permissions:

# mkdir ~joe/.ssh
# chmod 700 ~joe/.ssh
# cp id_dsa.pub ~joe/.ssh/authorized_keys
# chmod 600 ~joe/.ssh/authorized_keys
# chown -R joe:joe ~joe/.ssh

And that's all there is to it. Now the user can log in using his SSH
private key and can access Sudo or whatever else may require an actual
system password for authentication.

InfoInfo - ssh - Revision history

PeterHarding at 05:23, 4 February 2009

PeterHarding: New page: = Set up user accounts quickly and securely = == Vincent Danen, TechRepublic == When you need to set up a user account to give a user shell access to the system, the only logical choice o...