Generating SSH keys for multiple users?
Of course you can generate the keys for the users and give them the private keys - after all, OpenSSH doesn't know who actually generated the keys.
Technically, there is no difference at all between generating a key for yourself and generating it for another person - you just generate a pair of key files, add the public one to the users ~/.ssh/authorized_keys file and that's it.
ssh-keygen -f <username>
will generate a pair of files named <username>
and <username>.pub
with the private and public key.
However, doing all this beats the purpose of key-based auth as you are now also in possession of the users private keys, which should never happen.
Related videos on Youtube
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
Say, I have a server (CentOS 7) where currently I'm the only user, and have SSH key based authentication set up, it works perfectly. But what if I want to add more users (not many, say, 5 more) to the server and want to disable password-based authentication and enable key-based auth. for them, too?
Can I generate the key-pairs for them or they have to do it for themselves? If the former, how? I'm only familiar with generating the keys for myself.
Many thanks for all ideas!
-
Admin about 7 yearsThank you, this was really helpful! So after all the users should generate the keys for themselves, keeping the public keys in ther respective home (and .ssh) folders?
-
FooBee about 7 yearsFor key based auth to work, a copy of the key must be saved in the file ~/.ssh/authorized_keys - just storing it in the home directory is not sufficient.
-
Admin about 7 yearsThat's what I thought (I've been using key-based auth for years but have no experience it making it work for other users but me). So how would this work? They have the keys generated, keeping it in the right folder. Can they use 'ssh-copy-id' or I'd have to do it for them as the root user?
-
FooBee about 7 yearsIf you completely disallow password-based login, you need to do this as root, as
ssh-copy-id
won't work with a password. If you allow both key-based and password-based login, users can usessh-copy-id
or similar methods. -
Admin about 7 yearsOne last question, if I may: when they're done with generating the key pairs, should they use 'ssh-copy-id' to copy the key to their own '~/.ssh/authorized_keys' file or to one central file that handles all that?
-
FooBee about 7 yearsIt needs to be
~/.ssh/authorized_keys
for the respective user. -
Web User about 6 yearsHow about for a single user account on the remote server, that multiple users want to SSH into remotely? Say two more developers want to SSH into the server and they need to use their own public/private keys? Will that work if they generate their own pairs and I add each developer's public key into
~/.ssh/authorized_keys
? -
FooBee about 6 years@WebUser: Yes, this should work.