Re: sending authorized_keys to localhost from an account being created with adduser --disabled-password [was] Re: Need a tutorial
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Sep 23, 2016 at 12:31:00PM +0000, Stephan Beck wrote:
> Hi
>
> tomas@tuxteam.de:
> > On Thu, Sep 22, 2016 at 03:35:00PM +0000, Stephan Beck wrote:
> >
> >
> >> tomas@tuxteam.de:
> >
> > [mumble]
> >
> >>> This is the bird's view. Ask if you get stuck.
> >
> >
> >> Sorry, Tomas, it's not Gene, it's me who has a special question
> >
> > No need to be sorry :-)
>
> Fine! :-)
> >
> > But I see you found a solution and other chimed in with sage advice.
> >
>
> Well, I have another one :-), a question, not a solution yet.
>
>
> I have created a new user account with
> adduser --disabled-password
> What do I want to do?
> I'd like to login to this account "test" from my normal user account by
> ssh via pubkey authentication. My (normal) user account has its keys
> generated and properly deposited on localhost. I logged into the account
> "test" via su - test, creating a keypair. Fine.
Hang on: your new account (test( doesn't need a keypair. It's your regular
account which needs one (and has one already). You want to log in *from*
your regular account (let's call it "seph" for now) *to* test, right?
Then it's *steph* who has to have a keypair and *test* who has to have
*steph*'s public key included in its ~/.ssh/authorized_keys:
*steph* *test*
.ssh/ .ssh/
id_rsa authorized_keys
id_rsa.pub ^
\ |
------ add -------´
The background is that now *steph* can prove to *test* that he has the
right secret key (without disclosing it).
> How do I get this public key onto localhost?
> I mean, I can create an authorized_keys file manually, copying the
> public key into this authorized_keys file, but it's still in the user's
> directory where it has been generated, it needs to be sent (or get
> somehow) to localhost.
>
> I have tried:
> test@mymachine cat .ssh/id_rsa.pub | ssh localhost 'cat >>
> .ssh/authorized_keys'
You cannot log into test without superpowers, but you have to modify its
~/.ssh/authorized_keys. That means you *need* superpowers. For example
sudo -s # or similar
cat ~steph/.ssh/id_rsa.pub >> ~/test/.ssh/authorized_keys
chown test:test ~/test/.ssh/authorized_keys
exit
(the chown just in case authorized_keys didn't exist before).
> But it's asking me a password. There is none.
> If I disable Password Authentication in sshd_config, and then try to
> send it to localhost, it fails with something like "denied access
> publickey required". No mystery at all, because this very public key is
> being sent to localhost in this very moment and can't be used in the
> same act for authentication purposes.
>
> I've been reading a bunch of related docs in the man pages, debian wiki,
> in the exquisite and very readable Debian Administrator's Handbook by
> Raphael Mas and Raphaël Hertzog, and other linux ssh documentation. I
> can't find my specific use case and I'm stuck.
Either you give this new user a password (temporarily) or you have to
be able to write to its .ssh directory by other means. One of those
means is by becoming root (as sketched above). There are others, like
- adding yourself to this new user's group and making sure
its ~/.ssh/authorized_keys is group writable (feels somewhat
uncomfortable, though)
- creating the user's home directory from a prepared skeleton
already containing an "authorized_keys" as you need it
But all those methods need you being root at the machine where
*test* is created. You have to be root to create *test* in the
first place, though! So the proposed method above seems the
least intrusive to me.
Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlflK5QACgkQBcgs9XrR2kb0AACeO1pPTe9vm31zAzvWVhNdH/Wb
EqUAn1Ftz5STEPa2JHhXScrq7nrYbpPa
=cIRd
-----END PGP SIGNATURE-----
Reply to: