Start with creating a user:
useradd -m -d /home/username -s /bin/bash username
Create a key pair from the client which you will use to ssh
from:
ssh-keygen -t dsa
Copy the public key /home/username/.ssh/id_dsa.pub
onto the RedHat host into /home/username/.ssh/authorized_keys
Set correct permissions on the files on the RedHat host:
chown -R username:username /home/username/.ssh
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys
Ensure that Public Key authentication is enabled on the RedHat host:
grep PubkeyAuthentication /etc/ssh/sshd_config
#should output:
PubkeyAuthentication yes
If not, change that directive to yes and restart the sshd
service on the RedHat host.
From the client start an ssh
connection:
ssh username@redhathost
It should automatically look for the key id_dsa
in ~/.ssh/
. You can also specify an identity file using:
ssh -i ~/.ssh/id_dsa username@redhathost
Best Answer
Use of
passwd -d
is plain wrong, at least on Fedora, on any linux distro based on shadow-utils. If you remove the password withpasswd -d
, it means anyone can login to that user (on console or graphical) providing no password.In order to block logins with password authentication, run
passwd -l username
, which locks the account making it available to the root user only. The locking is performed by rendering the encrypted password into an invalid string (by prefixing the encrypted string with an !).Any login attempt, local or remote, will result in an "incorrect password", while public key login will still be working. The account can then be unlocked with
passwd -u username
.If you want to completely lock an account without deleting it, edit
/etc/passwd
and set/sbin/nologin
or/bin/false
in the last field. The former will result in "This account is currently not available." for any login attempt.Please refer to
passwd(1)
man page.