I'm trying to create an ssh key for another user. I'm logged in as root. Can I just edit the files generated by ssh-keygen and change root to the user I want?
Asked
Active
Viewed 2.9e+01k times
126
-
6If you generate the key for the user you also have to have a secure method of getting the private key and it's pass phrase to the user. Much better the user generate the key and then just email you the public key. – user9517 Oct 22 '11 at 20:02
-
But isn't that difficult is you don't allow password logins? If I am key-only, and I set up a new user, they can't login to set up their key. – LVLAaron Aug 08 '13 at 14:20
-
I don't have enough rep to make a answer so i made a gist which is a small script to create a user, generate a ssh-key, copy that public key to ~/.ssh/authorized_keys and then zip it to send to them. https://gist.github.com/robmsmt/b8300e7a0d711a7616e948a8232289a5 – robmsmt Oct 31 '20 at 03:37
4 Answers
200
There's no user information in the SSH keys.
Last field in a public key is a comment (and can be changed by running the following command ssh-keygen -C newcomment).
No need to do anything special to make a key for another user, just put it in the right location and set permissions.
Jai Chauhan
- 127
- 5
Alex
- 2,041
- 2
- 11
- 4
-
13
-
3I just test and confirmed, not only is it just a comment, but it can be removed and keys still function. I always thought it mattered! Thanks for giving the correct answer. Like the comments above, I have a reason for creating keys for other users, but i wont say why, so theres no argument. – FreeSoftwareServers Sep 18 '16 at 19:15
-
1This username in the public key makes me think that username is encoded into the public key and the public key will be invalid if changing the username. Thanks a lot. – Hobin C. Nov 12 '20 at 09:12
97
You could do that with ssh-keygen, however, remember that the private key is meant to be private to the user so you should be very careful to keep it safe- as safe as the user's password. Or even safer, as the user is not likely to be required to change it upon first login.
ssh-keygen -f anything creates two files in the current directory. anything.pub is the public key, which you could append to the user's ~/.ssh/authorized_keys on any destination server.
The other file, just called anything is the private key and therefore should be stored safely for the user. The default location would be ~username/.ssh/id_rsa (here named id_rsa, which is default for rsa keys). Remember that the .ssh directory cannot be readable or writeable by anyone but the user, and the user's home directory cannot be writeable by anyone but the user. Likewise, permissions must be tight on the private key, as well: Read/write for only the user, and the .ssh directory and private keyfile must be owned by the user.
Technically you could store the key anywhere. With ssh -i path/to/privatekey you could specify that location, while connecting. Again, proper ownership and permissions are critical and ssh will not work if you don't have them right.
-
6
-
57You are assuming that the user is a real person. If the login is an non-interactive user utilized to perform utility tasks (e.g. running running maine scripts on remote servers), then yes, you would probably generate the key for that user manually. Of course, that has its own security implications, but that's another story. – Rilindo Oct 22 '11 at 22:31
-
2@Rilindo `ssh -i` to a private key for a non-privileged process is how I handle more than a few automated rsync backup processes. :) – Shadur Oct 23 '11 at 09:56
-
17I don't like that kind of answer that say "you shouldn't do that" but don't answer the question. While this may be correct and helpful for the context of the original question, other people may have the same question in a different situation. "ssh keys should never be generated for another user": That is true in the simple case. But consider multiple identities of the same physical person, for example. There may be multiple accounts on multiple systems, not all of them allowing you to generate keys or allowing to protect private keys appropiately. – Gustave Sep 09 '15 at 08:17
-
-
note also that `-f` just creates a file with that name - as @Alex says in his answer, there is no user information in SSH keys – simonalexander2005 Nov 03 '15 at 11:22
23
Become the user by using su and run the key as that user:
[root@kvm0001 ~]# su - joeuser
[joeuser@kvm0001 ~]$ ssh-keygen -t dsa (or rsa1 or rsa, depending on your security requirements)
Generating public/private dsa key pair.
Enter file in which to save the key (/home/joeuser/.ssh/id_dsa):
Rilindo
- 5,058
- 5
- 26
- 46
-
-
-
5you should be using rsa (or possiblly one of the eliptic curve variants). dsa is limited to insecure keysizes. rsa1 is a legacy format for ssh1 which noone should be using anymore. – Peter Green Dec 19 '15 at 05:51
-
My `joeuser` is a service user, therefore i cannot login as them. How do I allow a service user (that just runs processes) to have an ssh key? – Jonathan Nov 30 '17 at 04:09
-
@JonathanLeaders You would specify the shell for the user when becoming that user. Something like this: ``` [root@ip-10-254-41-211 ~]# grep ftp /etc/passwd ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin [root@ip-10-254-41-211 ~]# su - ftp su: warning: cannot change directory to /var/ftp: No such file or directory This account is currently not available. [root@ip-10-254-41-211 ~]# su -s /bin/bash ftp bash-4.2$ whoami ftp bash-4.2$ ``` – Rilindo Dec 03 '17 at 22:54
-
@Rilindo You can use http://pastebin.com for this sort of issue, sorry for the inconvenience – Jonathan Dec 13 '17 at 02:39
8
As seen here, you can use chmod to change the read permissions of the folder of the user you want to add the SSH key to.
vim /home/username/.ssh/authorized_keys
Then, simply paste the key to a new line at the bottom of that file
Zac
- 103
- 4
Justin Kowalsky
- 81
- 1
- 1