Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It appears that by default the location that SFTP uses to look for the users keys for protocol version 1 is ~/.ssh/identity; and ~/.ssh/id_rsa or ~/.ssh/id_dsa for protocol version 2.
Is there a setting in the etc/ssh/sshd_config that can be configured to change this location for all users? Share a directory with all the keys or have one file with all keys?
Goal:
All user authenticate to SFTP using keys and be locked to the same shared home directory.
It appears that by default the location that SFTP uses to look for the users keys for protocol version 1 is ~/.ssh/identity; and ~/.ssh/id_rsa or ~/.ssh/id_dsa for protocol version 2. Is there a setting in the etc/ssh/sshd_config that can be configured to change this location for all users?
Read the man page on sshd_config, or the documentation on setting up openssh. The AuthorizedKeysFile directive is what you're looking for.
Quote:
Share a directory with all the keys or have one file with all keys?
Neither is a good idea for security purposes.
Quote:
Goal: All user authenticate to SFTP using keys and be locked to the same shared home directory.
Then why have separate users at all, if you want everyone to read/write to the same directory? Not much point in separate users, then. You can chroot sftp (there are how-to guides), but that typically jails users to their own home directories.
Read the "Question Guidelines" link in my posting signature. We're happy to help, but please do basic research first; and since you're using RHEL, have you contacted Red Hat support for guidance? You are PAYING FOR RHEL, RIGHT????
Read the man page on sshd_config, or the documentation on setting up openssh. The AuthorizedKeysFile directive is what you're looking for.
Neither is a good idea for security purposes.
Then why have separate users at all, if you want everyone to read/write to the same directory? Not much point in separate users, then. You can chroot sftp (there are how-to guides), but that typically jails users to their own home directories.
"For traceability of users login/actions while connected."
Read the "Question Guidelines" link in my posting signature. We're happy to help, but please do basic research first; and since you're using RHEL, have you contacted Red Hat support for guidance? You are PAYING FOR RHEL, RIGHT????
"Currently using RHEL Ent 7 trial which has ended."
I will read the Read the "Question Guidelines" link now.
Then why have separate users at all, if you want everyone to read/write to the same directory? Not much point in separate users,
Having separate users using the same resources allows you to revoke access to individuals without disabling everyone else. However, if they all use the same ssh key as access credentials, you're right, it's completely pointless.
Quote:
You can chroot sftp (there are how-to guides), but that typically jails users to their own home directories.
I haven't seen any real clean implementations that allow strong logging. For example Red Hat EL7's rsyslog can't manage more than a small number of logging sockets, so you can't have one in each chroot, and have to pass logging traffic through some less secure method or put logs in files that are available inside the chroot.
Having separate users using the same resources allows you to revoke access to individuals without disabling everyone else. However, if they all use the same ssh key as access credentials, you're right, it's completely pointless.
I haven't seen any real clean implementations that allow strong logging. For example Red Hat EL7's rsyslog can't manage more than a small number of logging sockets, so you can't have one in each chroot, and have to pass logging traffic through some less secure method or put logs in files that are available inside the chroot.
I don't want them all to have the same ssh key. I want each user to continue to have a separate ssh key. I just want all of the keys in the same directory. Or, if it is possible the continue to have all of the users ssh keys in separate directories, but everyone have the same home directory. Does that make sense? At then end of the day, I want all users to log in using their ssh keys but everyone have the same home dir.
I don't want them all to have the same ssh key. I want each user to continue to have a separate ssh key. I just want all of the keys in the same directory. Or, if it is possible the continue to have all of the users ssh keys in separate directories, but everyone have the same home directory. Does that make sense? At then end of the day, I want all users to log in using their ssh keys but everyone have the same home dir.
Again, you can put the keys anywhere you'd like, as per the directive given to you earlier. However, you are now going to add complexity to how someone connects, and your system is going to be harder to administer. Because if you have one 'home directory' for all of these users, the keys are going to have to have separate names. so id_rsa will have to be named uniquely for each user, like "pjones_id_rsa", etc. Then they will have to connect by specifying which key file, like "ssh user@server -i /home/dir/.ssh/pjones_id_rsa".
And you're STILL going to wind up with a security hole; because EVERY USER will have to have read access to the keyfile location. So what is to stop them from copying ALL OF THEM to their own system, and doing whatever they want with them?
Think about what you're doing, and about a better way of doing it. Create a directory somewhere, that is JUST for SFTP. Then create a symlink to that directory, in everyones home directory, and chroot SFTP users to their own homes. Key management is easy, security is easy, and everyone can read/write to the one directory you're interested in.
Quote:
Originally Posted by hz36t5
"Currently using RHEL Ent 7 trial which has ended."
Then you need to PAY FOR RHEL, or stop where you are and load CentOS. Not paying for RHEL is an incredibly bad move if you're going into production, because you WILL NOT get patches/security updates/bugfixes, or anything else. Your system will get insecure and unstable, pretty quick. And you won't be able to load new software as easily, since you won't have access to online repositories. Pay for RHEL, or use CentOS.
Again, you can put the keys anywhere you'd like, as per the directive given to you earlier. However, you are now going to add complexity to how someone connects, and your system is going to be harder to administer. Because if you have one 'home directory' for all of these users, the keys are going to have to have separate names. so id_rsa will have to be named uniquely for each user, like "pjones_id_rsa", etc. Then they will have to connect by specifying which key file, like "ssh user@server -i /home/dir/.ssh/pjones_id_rsa".
And you're STILL going to wind up with a security hole; because EVERY USER will have to have read access to the keyfile location. So what is to stop them from copying ALL OF THEM to their own system, and doing whatever they want with them?
Think about what you're doing, and about a better way of doing it. Create a directory somewhere, that is JUST for SFTP. Then create a symlink to that directory, in everyones home directory, and chroot SFTP users to their own homes. Key management is easy, security is easy, and everyone can read/write to the one directory you're interested in.
Then you need to PAY FOR RHEL, or stop where you are and load CentOS. Not paying for RHEL is an incredibly bad move if you're going into production, because you WILL NOT get patches/security updates/bugfixes, or anything else. Your system will get insecure and unstable, pretty quick. And you won't be able to load new software as easily, since you won't have access to online repositories. Pay for RHEL, or use CentOS.
Going to try the symlink route instead.
This is a development. We will have a paid license for red hat in prod.
Going to try the symlink route instead.
This is a development. We will have a paid license for red hat in prod.
If it's a development box, no need for RHEL at all, since CentOS is great for that. And if you're paying for RHEL in production, you can still call them for advice with such things, since you're paying for support, right?
I don't want them all to have the same ssh key. I want each user to continue to have a separate ssh key. I just want all of the keys in the same directory. Or, if it is possible the continue to have all of the users ssh keys in separate directories, but everyone have the same home directory. Does that make sense? At then end of the day, I want all users to log in using their ssh keys but everyone have the same home dir.
Can you explain _why_ you want to do this? If you tell us what you are trying to achieve with this scheme, we can probably give you an easier, more functional solution than sharing home folders.
To share the home folder, which is a bad idea, all your users will need the same primary group, you'll have to control access to the home folder with group permissions, (and file creation will require the sgid bit) and your ~/.ssh/authorized_keys file will need to contain the public keys of all users, and you'll want to generate the keypairs with a -C comment that names the user the private key was issued to... just for starters.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.