1

Ubuntu Trusty here. I'm having some trouble deciding where in the system I should configure which users are to be allowed to ssh into the machine, and which keys they're allowed to use.

I've traditionally just created Linux users with respective home folders, and would place authorized_keys under ~/.ssh folder.

It seems that another option is to use sshd's config as well. You can define AllowUsers there and even AuthorizedKeysFile with all the supported ssh keys. I'm using this article for reference.

Now, what's the best practice here? Should I not specify AllowUsers/AuthorizedKeysFile and let the OS user's existence and authorized_keys file decide if the user should be able to log in or not? Should I not use the the user's ~/.ssh/authorized_keys? Should I have both in place?

The former makes configuration management (through Ansible in my case) a bit simpler, but I can have it in both places if need be.

Alexandr Kurilin
  • 546
  • 1
  • 8
  • 20
  • **The best practice would be to stick with default configurations unless you have a good reason to do something unusual.** Do you want prevent your users from managing their own keys, or not? Do you have system accounts, that shouldn't be allowed ssh? – Zoredache Jul 22 '14 at 22:44
  • - I'm ok with users managing their own keys. - I can't think of any system accounts I might want to authorize for SSH. – Alexandr Kurilin Jul 22 '14 at 22:52

1 Answers1

3

The most common way is ~/.ssh/authorized_keys, it allows users to manage their own keys. Unless you're planning to migrate to a different authentication (e.g. LDAP) system someday, this should be your choice.

Keep in mind that each ~/.ssh/ folder needs to be chmod'd to 700 and chown'd to the respective user.

By the way, if you manage lots of users, have a look at the useradd documentation on the /etc/skel directory. You might want to put a default .ssh/authorized_keys there.

lxg
  • 158
  • 6
  • You do not need to use `700` for `~/.ssh`. There are scenarios where `755` is more appropriate. What is important is that the directory is only writable to the owner. It also does not have to be owned by the user it applies to, it has to be owned by either the user it applies to or by `root`. – kasperd Jan 08 '17 at 19:58