Re: sending authorized_keys to localhost from an account being created with adduser --disabled-password [was] Re: Need a tutorial
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Sep 23, 2016 at 04:41:00PM +0000, Stephan Beck wrote:
> Thank you very much, Tomás.
glad to help.
[...]
> But once my user's (in your terminology, steph's) public key is in the
> test account's authorized_keys file, user steph can login without
> superpowers, by presenting the private part of the key (well ssh-agent
> does it, if I understand things correctly), can't I?
That's how it's supposed to work (strictly speaking it doesn't present
the private part of the key, but just a *proof* that it is in control
of said private part, which the host account (test) can check).
The ssh-agent is just in charge of keeping unlocked private keys around
so that you only have to unlock them with your passphrase once per
session.
> My great mistake was to think that localhost, although being on the same
> machine, acts as a somewhat separated server and for that reason the
> public keys of all users have to be deposited physically, in a sort of
> directory structure within localhost (not in the user's directory),as it
> is the case on a remote server. But, as Greg made very clear, I'm
> already on the same machine. That was the conceptual mistake I made.
Exactly: the authorized_keys is a per-account thing, meaning "whoever
has the private key corresponding to *this* public key is allowed
to log in as me". Note that you even can restrict what commands are
allowed for each private key -- a "backup" user would only be allowed
to invoke a specific backup script at login, for example.
> > (the chown just in case authorized_keys didn't exist before).
[...]
> > - creating the user's home directory from a prepared skeleton
> > already containing an "authorized_keys" as you need it
>
> Ah, that would be fine, but I guess, this time it has to be the hard
> way, by typing, without prepared skeletons.
And it would only make sense if you go "industrial", as in "every user
on this box shall allow the user "backup" to invoke the per-user
backup script" or some such. I haven't needed that. Just a copy (or
an ssh-copy-id, if at he beginning the password access is available).
Regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlfmh/cACgkQBcgs9XrR2ka8lwCdEDbXPQ4Rhr24DmzstfbuzThD
LoIAn1BE33kb23NvEPuidLvc7NxAUnN5
=qpNT
-----END PGP SIGNATURE-----
Reply to: