Difference between revisions of "InfoInfo - ssh"

From PeformIQ Upgrade
Jump to navigation Jump to search
(New page: = Set up user accounts quickly and securely = == Vincent Danen, TechRepublic == When you need to set up a user account to give a user shell access to the system, the only logical choice o...)
 
 
Line 53: Line 53:
private key and can access Sudo or whatever else may require an actual
private key and can access Sudo or whatever else may require an actual
system password for authentication.
system password for authentication.
[[category:OpenSSL]]
[[Category:Network]]

Latest revision as of 16:23, 4 February 2009

Set up user accounts quickly and securely

Vincent Danen, TechRepublic

When you need to set up a user account to give a user shell access to the system, the only logical choice of login tool is OpenSSH. With SSH keys, all you need from the user is his SSH public key, and all he needs from you is the IP address or hostname with which to log in. Usually, this is sufficient.

In some cases, the user may need to know what his own password is. If he needs to use Sudo, he will need to authenticate with a password. Ideally, this information would be given via phone or encrypted e-mail, but more often than not, the password itself is handed out via plain-text e-mail.

The ideal situation would be to create the user account, obtain the user's public SSH key (which can be sent unencrypted as it does an attacker no good in and of itself), and generate a random password for the user to change once he logs into the system. This is all easily accomplished.

For the user, this is very easy. To create the private/public keypair, simply execute:

$ ssh-keygen -t dsa

You would then have him send the ~/.ssh/id_dsa.pub file. Server-side, things become more interesting, but certainly not difficult. First, you create the user account:

# useradd -c "Joe User" -s /bin/bash -m joe
# openssl rand -base64 6 | tee -a ~joe/.password | passwd -stdin joe

This will create the user joe, assign it a random password, and store the same password in ~joe/.password, where joe will be able to see it.

If you lock down accounts via /etc/ssh/sshd_config, remember to allow joe access to the system by adding:

AllowUsers joe

Also, ensure that PasswordAuthentication is set to no as well, to force all logins to use public keys.

Finally, be sure to copy the id_dsa.pub key to the user's home directory and give appropriate ownership and permissions:

# mkdir ~joe/.ssh
# chmod 700 ~joe/.ssh
# cp id_dsa.pub ~joe/.ssh/authorized_keys
# chmod 600 ~joe/.ssh/authorized_keys
# chown -R joe:joe ~joe/.ssh

And that's all there is to it. Now the user can log in using his SSH private key and can access Sudo or whatever else may require an actual system password for authentication.