[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sending authorized_keys to localhost from an account being created with adduser --disabled-password [was] Re: Need a tutorial

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Sep 23, 2016 at 04:41:00PM +0000, Stephan Beck wrote:
> Thank you very much, Tomás.

glad to help.

[...]

> But once my user's (in your terminology, steph's) public key is in the
> test account's authorized_keys file, user steph can login without
> superpowers, by presenting the private part of the key (well ssh-agent
> does it, if I understand things correctly), can't I?

That's how it's supposed to work (strictly speaking it doesn't present
the private part of the key, but just a *proof* that it is in control
of said private part, which the host account (test) can check).

The ssh-agent is just in charge of keeping unlocked private keys around
so that you only have to unlock them with your passphrase once per
session.

> My great mistake was to think that localhost, although being on the same
> machine, acts as a somewhat separated server and for that reason the
> public keys of all users have to be deposited physically, in a sort of
> directory structure within localhost (not in the user's directory),as it
> is the case on a remote server. But, as Greg made very clear, I'm
> already on the same machine. That was the conceptual mistake I made.

Exactly: the authorized_keys is a per-account thing, meaning "whoever
has the private key corresponding to *this* public key is allowed
to log in as me". Note that you even can restrict what commands are
allowed for each private key -- a "backup" user would only be allowed
to invoke a specific backup script at login, for example.

> > (the chown just in case authorized_keys didn't exist before).

[...]

> >   - creating the user's home directory from a prepared skeleton
> >     already containing an "authorized_keys" as you need it
> 
> Ah, that would be fine, but I guess, this time it has to be the hard
> way, by typing, without prepared skeletons.

And it would only make sense if you go "industrial", as in "every user
on this box shall allow the user "backup" to invoke the per-user
backup script" or some such. I haven't needed that. Just a copy (or
an ssh-copy-id, if at he beginning the password access is available).

Regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlfmh/cACgkQBcgs9XrR2ka8lwCdEDbXPQ4Rhr24DmzstfbuzThD
LoIAn1BE33kb23NvEPuidLvc7NxAUnN5
=qpNT
-----END PGP SIGNATURE-----
Reply to: