My ongoing experiences with Ubuntu, and later Mythbuntu, as a media center with MythTV. I'm also using the system for a virtual machine server, a mediawiki server and a general all around home infrastructure base.

Sunday, October 19, 2008

Creating ssh-only account

I wanted to create some accounts that could only be accessed via ssh key authentication. These would be accessed via cron jobs on another system for backing things up. Here's my process.

On the target host, create the account:
# useradd -m web-server-backup


You can verify this account has no password by the prescence of the "!" in the second field in /etc/shadow:
# grep web-server-backup /etc/shadow
web-server-backup:!:14171:0:99999:7:::


Now, back on the system that will be accessing the account, create a ssh key pair. Since this will be running unattended from cron, I will leave the password empty (i.e. just hit return):
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): just hit return
Enter same passphrase again: just hit return
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d3:ac:99:5f:9c:30:69:98:ad:ab:e9:e5:ef:34:38:bf root@web-server


Copy the public key you just created into your clipboard:
# cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArh6BSw0F1Li/Oh1GbqF6uTv34P4e0Ow7NMco962aHe070vGjlyqIE3CrOU9d3/ztoL7QgalegWj7WfWQ44I8Jz0WGTzLcssYhvluaHzBp5z8QKVvmSpj39f43kAYP0b2GdUwGZL9AER72MRZSxmaybzGoVK12bPr6t18gaAWl9c3b1Ng8MFbp7vvNptfb6NwikfOaL4vTqRfNuVWv6vxaw3xfE+8iuI8ubckUCqrNfayVmfgCmxNS5o9GauHSAZdXhH1xDkZ0ikjo4SAjYz83/eyNdrwef6GTQj+FXwsaiGSpz9B0IOWt613+MhI/uoXRTO2jNzJstBcQa19GbX0Hw== root@web-server


Now on the target account, create ~/.ssh:and copy the public key into ~/.ssh/authorized_keys:
# sudo -u web-server-backup -i
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ cat > ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArh6BSw0F1Li/Oh1GbqF6uTv34P4e0Ow7NMco962aHe070vGjlyqIE3CrOU9d3/ztoL7QgalegWj7WfWQ44I8Jz0WGTzLcssYhvluaHzBp5z8QKVvmSpj39f43kAYP0b2GdUwGZL9AER72MRZSxmaybzGoVK12bPr6t18gaAWl9c3b1Ng8MFbp7vvNptfb6NwikfOaL4vTqRfNuVWv6vxaw3xfE+8iuI8ubckUCqrNfayVmfgCmxNS5o9GauHSAZdXhH1xDkZ0ikjo4SAjYz83/eyNdrwef6GTQj+FXwsaiGSpz9B0IOWt613+MhI/uoXRTO2jNzJstBcQa19GbX0Hw== root@web-server
$ chmod 600 ~/.ssh/authorized_keys


Now back on the accessing account, you should be able to access the target account without a password. The first time you do this you will be prompted to trust the host key of the target system, so you should do this once to make this process without prompt.

# ssh -l web-server-backup file-server date
The authenticity of host 'file-server (192.168.1.12)' can't be established.
RSA key fingerprint is 4c:7a:f0:ba:0f:60:45:4b:b8:f1:cc:17:88:59:74:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'file-server,192.168.1.12' (RSA) to the list of known hosts.
Sun Oct 19 13:06:52 CDT 2008


Now it should work seamlessly:
# ssh -l web-server-backup file-server date
Sun Oct 19 13:08:19 CDT 2008

No comments: