We are running CentOS 6.9 with OpenSSH_5.3p1 and created chrooted accounts for external users with the same home directory (mounted to htdocs). Problem is that the file .ssh/authorized_keys2
is owned by the first user (and this works already). How can I make it work for another user?
I tried to add an AuthorizedKeysFile
in sshd_config with multiple file paths and I got the error garbage at end of line
.
I tried to add an AuthorizedKeysFile
in sshd_config
in the match block of the second user and I got the error 'AuthorizedKeysFile' is not allowed within a Match block
.
I cannot change the home directory because otherwise the path is different from the real path for development.
Any suggestions how to solve it?
May I have to upgrade OpenSSH to a newer version that supports multiple entries for AuthorizedKeysFile
(I think I have to build it with rpm)? What about security updates afterwards?
Best Answer
One option is to use tokens to give each user a unique
authorized_keys
file.From man sshd_config:
Emphasis mine.
So you can set:
Then for user
foo
create anauthorized_keys
file.ssh/foo_authorized_keys
.A note on permissions
From man sshd:
So you may need to stick your keys outside
.ssh/
, or else setStrictModes
tono
. If you setStrictModes
tono
make sure another user can't create anauthorized_keys
for someone else, or delete the other user's authorized keys. Probably best off doing something like:Create a directory
.ssh_foo/
for userfoo
, that onlyfoo
can read/write.You can choose if you want to also allow
.ssh/authorized_keys
by usingThis will allow the "normal" form of
authorized_keys
to still work, and anauthorized_keys
file must be owned by your user and have correct permissions or it will be ignored. Still consider that it should not be possible to create anauthorized_keys
file for another user, which could just mean touching the file as root so it's empty.