Hi, I've got a MythBuntu media server with my login on it and ssh keys set up, so I can log in from both of my laptops without having to enter a password. I now want to set up a user for my brother (user = dave) and I also want to be able to login from my user to this login to test the security setup.
I copied over my public key file and concatenated it to the /home/dave/.ssh/authorized_keys2 file (I had all sorts of fun and games getting SSH set up initially, so I can't remember if that is ..._keys2 because of something I changed, but it's in the sshd_config as that, and in my home .ssh directory it's also ..._keys2) but I still get a password challenge when I try to ssh -p <fw port> dave@myserver. I then copied over my authorized_key2 file into /home/dave/.ssh but this also doesn't work.
Any ideas why this would be - there isn't any issue in copying the same public key over to multiple users within one computer, is there? If I set up a password for that user I can login ok, so it doesn't seem to be a password expiry issue, as far as I can see. I've also grepped my /etc/ssh/sshd_config with my username and can't find any entries there, so I don't think it's anything in there.
Cheers MH

Welcome to LQ Security!

You need to copy the public key on to the server and place it in the authorized keys file there. As you are already using this from your PC, there is no need to do this step. The private key needs to go into the .ssh folder of the user that will be logging into the server as id_rsa. From the description, it sounds like you may have the public and private keys backwards.

You mean the rsa_id.pub file, yes? That's the file I copied and concatenated to the auth..._keys2 file. AFAIK that's the original file I copied over on my user, and either way if I copy my auth..._keys2 file from my user's home .ssh on the server into the ~/dave/.ssh that should be ok, yes? Just to clarify, when I was talking about copying the auth..._keys2 file from one user's home to the other, I was referring to the files in the home directories on the server rather than copying the auth..._keys2 file from the client to the server.

As an example, if I have users foo and bar and I am set up to ssh-key login as user foo
ssh foo@servername
and then I
cp /home/foo/.ssh/authorised_key2 /home/bar/.ssh/authorised_key2
then I should be able to ssh-key login as bar, yes?
ssh bar@servername
and it will use my key for both users?

I think you have it backwards. When you create the key pair you get two files, id_rsa (private) and id_rsa.pub (public). Authorized keys, to which the public key gets copied / appended goes on the SERVER, not the users. The private key goes with the user. See this link for an example.

Using your example, you would:
Now both users, foo and bar can log into the same server with the same key.

I think you would be better off to generate a unique keypair on your brother's machine and just append that public key to the authorized keys file on the server. The server's authorized key file should have both public keys listed in it, one per line. That way you will both be able to access the server.

Sorry, I don't think I explained myself clearly enough.
Users foo and bar are both on the server.
I have user foo on my own systems, and from there I want to be able to log onto the server, using the ssh-key, as both user foo and user bar, so I can check everything works ok for the bar user before I set my brother up on it. Once I was happy I was going to get him to send me his public ssh key and import it into user bar, retaining my own ability to log into the server as both foo and bar.
That changes things, regarding your answer, doesn't it?
Apologies that I wasn't clear enough in mt original question.

Recently I've imported ssh keys from user backuppc on my backup server into my laptop's root user so I can remotely backup the system, so I know the users don't have to be the same on the local and remote servers, but I was wondering if there were any issues importing a single user's public key into multiple users on a target server.

Thanks - MH

You may need openssh-clients installed to do this, but I find the easiest way is 'ssh-copy-id name@[fqdn_or_ip]' works best. Just build out your key (ssh-keygen -t rsa) then use the previous command to copy to the profile you need.

I did try using ssh-copy-id but I'm away from home ATM and that doesn't seem to accept ports - I checked the man entry and it only seems to access the -i parameter, but I tried -p anyway, plus it doesn't seem to accept user@machine:port

--edit-- disabled smiles for the :p display

Now I'm home I tried the ssh-copy-id, but it didn't work - it's probably something I've done, what are the basic, user-level things I need to check that might stop a user logging on with ssh keys (but would still allow the password login)?

Check the permissions on ~/.ssh directory and ~/.ssh/authorized_keys. sshd is quite fiddly about permissions and you may need to "chmod go-wx" them and make sure they're owned by the user. Look at the man page for sshd, in the FILES section for more details.

I did have a look at those - as far as I can see they're the same (apart from, for his user) as my user's file permissions that work ok:-

drwx------ 2 dave dave 4096 Apr 27 18:47 /home/dave/.ssh

and

-rw------- 1 dave dave 395 Apr 27 18:46 authorized_keys2
-rw-r-xr-x 1 dave dave 789 Apr 27 14:45 authorized_keys2.old
-rw------- 1 dave dave 1679 Apr 27 14:14 id_rsa
-rw-r--r-- 1 dave dave 396 Apr 27 14:14 id_rsa.pub

Should these be ok - as I said if you change the user and group names, my .ssh directory and its contents for those files are the same.

The only thing that obviously sticks out is I have a known_host file in my .ssh directory, but I'm guessing that's outgoing ssh hosts, rather that incoming ones?

What are the permissions on /home/dave? Does sshd log anything into /var/log/messages?

For example, if I have an account "guest" with the following:

drwxrwx--x 4 guest users 4096 Jul 27 2011 /home/guest/

In /var/log/messages, it has this when I try to use a key:

Apr 30 13:03:00 trix sshd[2288]: Authentication refused: bad ownership or modes for directory /home/guest

Here is my "cheat sheet" for setting up ssh:

1. ssh-keygen -t rsa ... follow prompts.
2. In Macintosh OS/X there is an ssh-add -K command to add a public-key to that system's ssh-agent keyring, along with passwords.
3. On the client (this and all remaining steps): mkdir ~/.ssh
4. chmod 700 ~/.ssh
5. touch ~/.ssh/authorized_keys
6. chmod 600 ~/.ssh/authorized_keys
7. cat keyfile_name >> ~/.ssh/authorized_keys [i](note use of two ">"s)

The strongest thing to do would be to, first on your account, perform the ssh-keygen step to generate your public key, encrypting that with a password. Then, have your brother do the same. (Both of you review the ssh-agent functionality on your systems.) Next, each of you supplies the public key (suffix .pub) for the procedure described above.

I think that it's a good idea to have separate keys, one for each user, and for each person to individually password-protect (encrypt) their own key without revealing it to anyone ... especially one's "bratty brother!"

The whole point of an ssh digital key is to create a unique and individually-manageable identity for one person. I would not "share a key" among more than one user.

We are generating our own keys and keeping them private - I just wanted to also set up my key on my brother's user so I could check his security was all ok and remote login to his user directly. I removed the existing .ssh directory and followed those steps but it still gives me the password challenge when I try to log in as my brother. Interestingly, in /var/log/auth.log I have this error that occurs when I try to get in:-
reverse mapping checking getaddrinfo for host86 [X.X.X.X] failed - POSSIBLE BREAK-IN ATTEMPT!
X.X.X.X is my ip (I did check to make sure it wasn't a legitimate hacking warning) so I'm guessing that's what's causing the problem. Any idea why it would object to my login on my brother's user, but I can still log into my user ok using the same key - or am I labouring under the misapprehension that I can install the same public key on two different users on the same system? I'm still waiting for my brother to send me his public key to see if his works ok.

The ssh configuration file must be set up to allow rsa-based access and to prohibit password authentication.

Otherwise, ssh has the very annoying habit of starting with the strongest authentication method, then stair-stepping down to the least strong method, and accepting any one that works!

("Oh, my. It seems that you don't seem to know the combination to the impregnable steel door. Would you like to please come in through the open window, instead?")

I assume you mean the server's ssh configuration, yes? That public key I've imported to my brother's account works fine on my account on that same server, so as far as I can see the server is set up ok? As I said, is the ssh server objecting to that same public key being used on two different users on the same server? I've also, for the moment, left password authentication turned on as I need to log in from other systems, for the moment, but I'll turn it off at some point soon.