how do you create an ssh key for another user?

linux centos ssh ssh-keys

285,021

Solution 1

You could do that with ssh-keygen, however, remember that the private key is meant to be private to the user so you should be very careful to keep it safe- as safe as the user's password. Or even safer, as the user is not likely to be required to change it upon first login.

ssh-keygen -f anything creates two files in the current directory. anything.pub is the public key, which you could append to the user's ~/.ssh/authorized_keys on any destination server.

The other file, just called anything is the private key and therefore should be stored safely for the user. The default location would be ~username/.ssh/id_rsa (here named id_rsa, which is default for rsa keys). Remember that the .ssh directory cannot be readable or writeable by anyone but the user, and the user's home directory cannot be writeable by anyone but the user. Likewise, permissions must be tight on the private key, as well: Read/write for only the user, and the .ssh directory and private keyfile must be owned by the user.

Technically you could store the key anywhere. With ssh -i path/to/privatekey you could specify that location, while connecting. Again, proper ownership and permissions are critical and ssh will not work if you don't have them right.

Solution 2

There's no user information in the SSH keys.

Last field in a public key is a comment (and can be changed by running the following command ssh-keygen -C newcomment).

No need to do anything special to make a key for another user, just put it in the right location and set permissions.

Solution 3

Become the user by using su and run the key as that user:

[root@kvm0001 ~]# su - joeuser
[joeuser@kvm0001 ~]$ ssh-keygen -t dsa (or rsa1 or rsa, depending on your security requirements)
Generating public/private dsa key pair.
Enter file in which to save the key (/home/joeuser/.ssh/id_dsa):

Solution 4

As seen here, you can use chmod to change the read permissions of the folder of the user you want to add the SSH key to.

vim /home/username/.ssh/authorized_keys

Then, simply paste the key to a new line at the bottom of that file

View more solutions

285,021

user962449

Updated on September 18, 2022

Comments

user962449 over 1 year

I'm trying to create an ssh key for another user. I'm logged in as root. Can I just edit the files generated by ssh-keygen and change root to the user I want?
- Admin over 12 years
  
  If you generate the key for the user you also have to have a secure method of getting the private key and it's pass phrase to the user. Much better the user generate the key and then just email you the public key.
- Admin almost 11 years
  
  But isn't that difficult is you don't allow password logins? If I am key-only, and I set up a new user, they can't login to set up their key.
- Admin over 3 years
  
  I don't have enough rep to make a answer so i made a gist which is a small script to create a user, generate a ssh-key, copy that public key to ~/.ssh/authorized_keys and then zip it to send to them. gist.github.com/robmsmt/b8300e7a0d711a7616e948a8232289a5
mailq over 12 years

+1 for expressing that it is a private(!) key
Rilindo over 12 years

You are assuming that the user is a real person. If the login is an non-interactive user utilized to perform utility tasks (e.g. running running maine scripts on remote servers), then yes, you would probably generate the key for that user manually. Of course, that has its own security implications, but that's another story.
Ram over 12 years

Why specify the DSA?
Rilindo over 12 years

Whoops, force of habit. Let me update.
Shadur over 12 years

@Rilindo ssh -i to a private key for a non-privileged process is how I handle more than a few automated rsync backup processes. :)
User over 8 years

users or user's
simonalexander2005 over 8 years

note also that -f just creates a file with that name - as @Alex says in his answer, there is no user information in SSH keys
Peter Green over 8 years

you should be using rsa (or possiblly one of the eliptic curve variants). dsa is limited to insecure keysizes. rsa1 is a legacy format for ssh1 which noone should be using anymore.
sebnukem almost 8 years

That's the correct answer.
FreeSoftwareServers over 7 years

I just test and confirmed, not only is it just a comment, but it can be removed and keys still function. I always thought it mattered! Thanks for giving the correct answer. Like the comments above, I have a reason for creating keys for other users, but i wont say why, so theres no argument.
Nyxynyx over 6 years

Link is dead...
Rilindo over 6 years

@JonathanLeaders You would specify the shell for the user when becoming that user. Something like this: ``` [root@ip-10-254-41-211 ~]# grep ftp /etc/passwd ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin [root@ip-10-254-41-211 ~]# su - ftp su: warning: cannot change directory to /var/ftp: No such file or directory This account is currently not available. [root@ip-10-254-41-211 ~]# su -s /bin/bash ftp bash-4.2$ whoami ftp bash-4.2$ ```
Jonathan over 6 years

@Rilindo You can use pastebin.com for this sort of issue, sorry for the inconvenience
Hobin C. over 3 years

This username in the public key makes me think that username is encoded into the public key and the public key will be invalid if changing the username. Thanks a lot.