-2

Is there a way for a user to ssh as a different user using ssh_keys? For example, i have host A B and C.

User X SSHes from A to B as himself ( A -- as X --> B )
Now the user wants to SSH to C from B but as a diff account ( Y ) B --- as Y ---> C

I have the keys stored in /home/Y/.ssh/ [id_rsa | id_rsa.pub]

Now When X is on B and runs ssh Y@C will this pick the SSH key from Y ? or should the key be specified in the command with -i flag, like ssh Y@C -i /home/Y/.ssh/id_rsa

The first didnt work for me it asked for password, when i copied the keys to my home dir path, i.e into /home/X/.ssh/ and gave permission it worked.

Ideally i would like to allow anyone SSH ing to B to SSH to C as Y. And i dont want to copy the key to each persons home dir. How would i go about with this? Thanks.

broun
  • 187
  • 2
  • 2
  • 8

2 Answers2

4

This is becoming an increasingly common misconception around ssh authorisation. Merely having a public keyfile on a remote server doesn't give anyone the ability to authenticate using the corresponding private key.

Do a man sshd and search for information about the authorized_keys file. This file, remoteserver:~remoteuser/.ssh/authorized_keys, is what remoteserver's ssh daemon consults when deciding which private key(s) to accept for inbound authentication.

You don't need to copy a private key to all the users' home directories; you need to collect copies of all the users' public keys, and put them in C:~Y/.ssh/authorized_keys, one key per line. Users can then ssh Y@C; though depending on which public keyfile they gave you (or you collected) they may need to specify the matching private key with -i /home/X/.ssh/id_rsa_relevant_private_key.

If you don't even want to do that, you should allow all (relevant) users on C to sudo /bin/su - Y; have them log in as themselves, then use sudo to change identity.

Edit following your comment below: yes, it will: but it will also make the revocation of any user's access to that account impossible, since there's only one key. It is a maintenance and security nightmare and you should not under any circumstances do it.

I made a suggestion above about sudo in case you felt as you do.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • I have hundreds of users and want to enable them to SSH as Y. So i dont want them to generate a key-pair and copy each key into the authorized key file. So if i understand correctly, copying Ys public key into authorized_keys file and supplying Ys private key during SSH will enable eveyone to SSH as Y ? – broun Aug 14 '14 at 07:30
  • @MadHatter is right. You would never want to have users share a private key. E.g. if you have a lot of users you want to give access to a server via SFTP to upload content for a web page etc, you would want to create a keypair for each user. Even if this is a lot of work it is still less work than deploying new keys every time you want to lock a user out, not to mention the security risk. Why don't you let the users do the work and let them provide their public keys to you? You just put them all in one folder and then do `cat /path/to/key/folder/* >> /home/Y/.ssh/authorized_keys`. – Broco Aug 14 '14 at 13:33
0

SSH authorization is basicly in 3 files for each user id_rsa - private key used to authorize id_rsa.pub - public key authorized_keys - file which contains public keys used to login.

Put your X user public key on C server in authorized_keys that belong to Y user. Remember about correct permissions!

For access without password for all users you need their public key. No workaround here but copy paste is not the best method. Use atomation tool of your choice.

PS: reading key from other user is not secure at all. Keep things simple :)

3h4x
  • 491
  • 4
  • 7