Ssh – Add a user without password but with SSH and public key

authenticationpasswordsshuseradd

I want to add a user to Red Hat Linux that will not use a password for logging in, but instead use a public key for ssh. This would be on the command line.

Best Answer

Start with creating a user:

useradd -m -d /home/username -s /bin/bash username

Create a key pair from the client which you will use to ssh from:

ssh-keygen -t dsa

Copy the public key /home/username/.ssh/id_dsa.pub onto the RedHat host into /home/username/.ssh/authorized_keys

Set correct permissions on the files on the RedHat host:

chown -R username:username /home/username/.ssh
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys

Ensure that Public Key authentication is enabled on the RedHat host:

grep  PubkeyAuthentication /etc/ssh/sshd_config
#should output:
PubkeyAuthentication yes

If not, change that directive to yes and restart the sshd service on the RedHat host.

From the client start an ssh connection:

ssh username@redhathost

It should automatically look for the key id_dsa in ~/.ssh/. You can also specify an identity file using:

ssh -i ~/.ssh/id_dsa username@redhathost

Related Solutions

Ssh – setting up ssh public key

Check permissions. OpenSSH will not allow public-key authentication if a user's home directory, ~/.ssh, or ~/.ssh/authorized_keys is world writable. Also, ~/.ssh and ~/.ssh/authorized_keys should probably not be group-writable either. Leave IdentityFile at the default, it's has nothing to do with the server aspect. It points to the default private key file used by the ssh client on UNIX/Linux. ssh_config is used only by the ssh client, and not the OpenSSH sshd server. The contents of authorized_keys should be one line per public key that is authorized to log in and look something like this:

ssh-rsa AAA.../Us= My Public Key comment

Where ... is a bunch of base64 characters ([a-zA-Z/+=]). PuTTYGen can generate two forms of keys: PuTTY and OpenSSH compatible. The OpenSSH compatible will be one long line in the above format. If it's in PuTTY format, you can import it back into PuTTYGen and save as OpenSSH.

SSH – How to Unlock Account for Public Key Authorization but Not Password Authorization

Unlock the account and give the user a complex password as @Skaperen suggests.

Edit /etc/ssh/sshd_config and ensure you have:

PasswordAuthentication no

Check that the line isn't commented (# at the start) and save the file. Finally, restart the sshd service.

Before you do this, ensure that your public key authentication is working first.

If you need to do this for only one (or a small number) of users, leave PasswordAuthentication enabled and instead use Match User:

Match User miro, alice, bob
    PasswordAuthentication no

Place at the bottom of the file as it is valid until the next Match command or EOF.

You can also use Match Group <group name> or a negation Match User !bloggs

As you mention in the comments, you can also reverse it so that Password Authentication is disabled in the main part of the config and use Match statements to enable it for a few users:

PasswordAuthentication no
.
.
.
Match <lame user>
    PasswordAuthentication yes

Best Answer

Related Solutions

Ssh – setting up ssh public key

SSH – How to Unlock Account for Public Key Authorization but Not Password Authorization

Related Question