Best practice in implementing ssh-key based authentication
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Best practice in implementing ssh-key based authentication
We implemented ssh-key based authentication. But what happens now is that when we add a new user, we need to edit the sshd_confif file, set PasswordAuthentication=yes which allows the new user to upload the new user's public keys to /home/userX/.ssh. Then I restart the ssh service. In our case, the users are in different locations, and we don't know when they will upload their keys. That means, we make our servers "vulnerable" during that time, with only the password to rely on.
After the new user uploads his/her keys, we then set PasswordAuthentication=no and restart ssh service.
Some existing users who did not upload their keys before the transition (from password based to key based authentication) also now want to upload their keys, which again means we need to "open" the server for them so that they too can upload their keys.
I am sure sysads have managed hundreds and hundreds of users, if not thousands, smoothly, but how do they do it without this kind of interruption? Is there anyway to automate this process? For example, could I do something like:
(1) use key based authentication for users who have already uploaded their keys
(2) If new users are added, or for the existing users who have accounts, but who have not uploaded keys, let them copy their keys with regular password (for example, using ssh-copy-id), so that we do not make our system vulnerable by "opening" it.
(3) No need to edit sshd_config file and restart the ssh service each time.
I am sure sysads have managed hundreds and hundreds of users, if not thousands, smoothly, but how do they do it without this kind of interruption?
Getting the public key from the user and adding it via a script, like mentioned above, is one option.
Another option with more steps but more flexibility would be to use SSH certificates. Those are basically signed keys. They are apparently widely used in large scale deployments but rather little is written about them so far, at least it's not easy to find, but there is still something:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.