LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   adding a user to ssh (https://www.linuxquestions.org/questions/linux-newbie-8/adding-a-user-to-ssh-634387/)

icedfusion 04-10-2008 07:32 AM
adding a user to ssh
 
hi,
I have a SSH server on my main machine which i can connect to fine remotely.
The problem i have is that i want my friend to be able to connect via SSH but ONLY to his user area.

I have added his public key to my list of authorized_keys and I have added him as a user to my system so now he has his own user area.

When he tries to log in as himself he always gets 'permission denied (public key)' - however, if he uses my username - he is able to login using his passphrase but ends up in my user area.

What step am i missing?

Cheers

ice.

jschiwal 04-10-2008 07:49 AM
I sounds like you didn't create his keys as that user. First of all, he shouldn't even know your passphrase so you probably want to use "ssh-keygen -N <newpassphrase>" to change it. You may have given him your own public & private keys as well, so you had might as well regenerate the from scratch.
Either generate a pair of keys for him, or better yet have him generate a pair and give you the public key. The add the public key to his $HOME/.ssh/authorized_keys file. That will enable him to log in. You should also disable root logins in /etc/ssh/sshd and use "allowusers <yourusername> <hisusername>" to lock down ssh. Using keys, I assume you disabled regular logins as well.

What is the default group of regular users. If it is "users" then create a group for each user of the same name (as the user) and make that the default, and use "sudo chgrp <default_group> /home/<user> -R" to change the default group in each person's HOME directory.

He will still be able to read system directories. Some like /bin/, /etc/, /usr/bin/, /usr/lib, etc. are needed. If you are going to run your system as a multi-user system, you should look into quotas. Take a look at /etc/security/limits.conf.

Take a look at this part of /etc/ssh/sshd_conf:
Quote:
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
This will enable you to use key based authentication but still use pam for controlling limits.

Good Luck!

icedfusion 04-10-2008 11:17 AM
Hi,
Thanks for the quick and prompt response!!

He has given me his public key which I then added to my 'authorized_keys' file.
He can login using my username - but he enters his passphrase not mine.

I think what I need to do is to put his public key in his home directory /home/<new_user>/.ssh/authorized_keys

However, there is a line in the sshd_config that points to where the authorized_key file resides - if this is commented out, does SSH look for the authorized_keys file in the users directory and not just use the one in my home directory?

What I am trying to do is setup a shared directory on my machine which he can mount on his machine and share files via ssh - but thats the next step.

Will give it a go tonight.

Thanks

ice.

jschiwal 04-10-2008 08:43 PM
I think the default .ssh/authorized_keys is fine. You can use the '%h' wild card to represent the users homepage "%h/.ssh/authorized_keys" in that case. Yes, the public key should go into the users own home directory and not yours.

See the man pages for ssh_config and sshd_config. Also, the comments in the sshd_config andd ssh_config files are useful.


All times are GMT -5. The time now is 11:52 AM.