Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
quickreference:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
quickreference:ssh [2025/01/05 01:22] rodolicoquickreference:ssh [2025/01/05 01:45] (current) rodolico
Line 156: Line 156:
 </code> </code>
  
-Discussion+==== Discussion ====
  
   * Permissions should be fairly strict, though it is not as strictly enforced as some aspects of the ssh system.   * Permissions should be fairly strict, though it is not as strictly enforced as some aspects of the ssh system.
Line 169: Line 169:
   * The example of having one file per client/department/whatever is just organizational. You could easily have all of your entries in one file, or break it down by function. It all depends on your needs.   * The example of having one file per client/department/whatever is just organizational. You could easily have all of your entries in one file, or break it down by function. It all depends on your needs.
  
 +===== Shared authorized_keys file =====
  
 +Similar and complementary to the shared configuration above is the ability to have the same set of authorized_keys files available across multiple machines. This is especially important in clusters of servers, where all members of the cluster need to have the same basic set of public keys which are allowed to access them without a password.
 +
 +Again, share a single file across all machines with the public keys that are allowed to access all machines in the cluster. It does **not** hurt to have the public key of the current machine in this file, so no modification is necessary to ensure a machine does not have its own public key.
 +
 +An NFS mount is likely the best way for to set this up. I'm going to assume it is mounted at /srv/common_config, with a subdirectory of ssh.
 +
 +Add/replace the AuthorizedKeysFile directive in /etc/sshd_config. On some systems, you can simply create a file /etc/ssh/sshd_config.d
 +<code bash>
 +# Debian style
 +echo 'AuthorizedKeysFile .ssh/authorized_keys /srv/common_config/ssh/authorized_keys' >> \
 +   /etc/ssh/sshd_config.d/authorized_keys.conf
 +</code>
 +
 +Reload the sshd daemon.
 +
 +==== Discussion ====
 +  * Permissions very important here.
 +    * All files and directories must be owned by root
 +    * Directories must be 755, and if possible, 700
 +    * Files must be 644, and if possible, 600
 +  * Users may still have a personal .ssh/authorized_keys file.
 +  * Some systems are set for .ssh/authorized_keys2 as a second file. You can add this as a third option in the /etc/ssh/sshd_config.d/authorized_keys.conf file
 +  * This does **not** include the known_hosts file, so the initial connection must still be made. However, the documentation in sshd_config implies this can be accomplished somehow.
 +
 +===== Links =====
 +
 +  * https://www.ssh.com/academy/ssh/authorized-keys-openssh
quickreference/ssh.1736061765.txt.gz · Last modified: 2025/01/05 01:22 by rodolico