How would I view all the authorised SSH clients from a unix server?
I know that cat ~/.ssh/authorized_keys shows authorised keys if logged in from root. Can other users set their own authorised keys too? In which case, how would I view all system authorised keys?
To answer your questions in order:
You can see all authorized keys by running the following script with root privileges.
#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
if [ -s "${X}/.ssh/authorized_keys" ]; then
echo "### ${X}: "
cat "${X}/.ssh/authorized_keys"
echo ""
fi
done
Any valid user may create a $HOME/.ssh/authorized_keys file and add any number of public keys to it. Someone with the corresponding private key will then be able to log in as that particular user. The process sshd follows is like the following. When a new connection comes in sshd asks the client for the username. If the username exists in /etc/passwd, sshd then reads the name of the user's home directory from the sixth field in /etc/passwd. It then checks if .ssh/authorized_keys exists in that user's home directory and if permissions are correctly set on both the .ssh directory and authorized_keys file. If those conditions are met, sshd will then attempt to authenticate the client's private key against the public key stored in $HOME/.ssh/authorized_keys. If the client possesses the matching private key, sshd will allow it access.
You may use the script above.
S.L. Barth makes an excellent point about root access. It is considered a risk to allow root access through ssh. The generally accepted practice is create a user account, grant it root access with sudo or a similar tool, and disable root logins through ssh by adding the following line to /etc/ssh/sshd_config and restarting sshd.
PermitRootLogin no
Chances are almost 100% that if your machine is on the Internet that the "Hail Mary Cloud" will be knocking at your door. For Linux, iptables, and sshd where you allow password based logins, you will probably want to install and configure something like fail2ban so it's harder for attackers to brute force your machine.
And, since we're already talking about ssh keys, and because this was posted today, you probably want to add UseRoaming no to the Host * section in your /etc/ssh/ssh_config
The cat ~/.ssh/authorized_keys command shows you the authorized_keys file of the currently logged in user. When logged in as root, or using sudo, this will give you the authorized_keys file of the root user.
The authorized_keys file, at least on Ubuntu, is usually owned by the user. So the currently logged in user (root or not) can see it.
The .ssh directory is in the user's home directory, and usually owned by them with read, write and execute privileges; so normally a user should be able to indeed add their own authorized_keys file.
To see all authorized keys, you could just create a script that iterates over all home directories and /root, and prints the .ssh/authorized_keys file. Obviously this script will require sudo privileges.
As a side note, on Ubuntu the root account is usually disabled, because it is a favorite target of attackers. It may not contain an authorized_keys file for this reason.
IMO it's a good idea to also check the ~/.ssh/authorized_keys2 file.
From https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2:
For backward compatibility ~/.ssh/authorized_keys2 will still used for authentication and hostkeys are still read from the known_hosts2.
Improved code from Liczyrzepa:
#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
for suffix in "" "2"; do
if [ -s "${X}/.ssh/authorized_keys$suffix" ]; then
echo "### ${X}: "
cat "${X}/.ssh/authorized_keys$suffix"
echo ""
fi;
done;
done
