how do you create an ssh key for another user?
Solution 1
You could do that with ssh-keygen
, however, remember that the private key is meant to be private to the user so you should be very careful to keep it safe- as safe as the user's password. Or even safer, as the user is not likely to be required to change it upon first login.
ssh-keygen -f anything
creates two files in the current directory. anything.pub
is the public key, which you could append to the user's ~/.ssh/authorized_keys
on any destination server.
The other file, just called anything
is the private key and therefore should be stored safely for the user. The default location would be ~username/.ssh/id_rsa
(here named id_rsa
, which is default for rsa keys). Remember that the .ssh
directory cannot be readable or writeable by anyone but the user, and the user's home directory cannot be writeable by anyone but the user. Likewise, permissions must be tight on the private key, as well: Read/write for only the user, and the .ssh directory and private keyfile must be owned by the user.
Technically you could store the key anywhere. With ssh -i path/to/privatekey
you could specify that location, while connecting. Again, proper ownership and permissions are critical and ssh will not work if you don't have them right.
Solution 2
There's no user information in the SSH keys.
Last field in a public key is a comment (and can be changed by running the following command ssh-keygen -C newcomment
).
No need to do anything special to make a key for another user, just put it in the right location and set permissions.
Solution 3
Become the user by using su and run the key as that user:
[root@kvm0001 ~]# su - joeuser
[joeuser@kvm0001 ~]$ ssh-keygen -t dsa (or rsa1 or rsa, depending on your security requirements)
Generating public/private dsa key pair.
Enter file in which to save the key (/home/joeuser/.ssh/id_dsa):
Solution 4
As seen here, you can use chmod to change the read permissions of the folder of the user you want to add the SSH key to.
vim /home/username/.ssh/authorized_keys
Then, simply paste the key to a new line at the bottom of that file
Related videos on Youtube
user962449
Updated on September 18, 2022Comments
-
user962449 over 1 year
I'm trying to create an ssh key for another user. I'm logged in as root. Can I just edit the files generated by ssh-keygen and change root to the user I want?
-
Admin over 12 yearsIf you generate the key for the user you also have to have a secure method of getting the private key and it's pass phrase to the user. Much better the user generate the key and then just email you the public key.
-
Admin almost 11 yearsBut isn't that difficult is you don't allow password logins? If I am key-only, and I set up a new user, they can't login to set up their key.
-
Admin over 3 yearsI don't have enough rep to make a answer so i made a gist which is a small script to create a user, generate a ssh-key, copy that public key to ~/.ssh/authorized_keys and then zip it to send to them. gist.github.com/robmsmt/b8300e7a0d711a7616e948a8232289a5
-
-
mailq over 12 years+1 for expressing that it is a private(!) key
-
Rilindo over 12 yearsYou are assuming that the user is a real person. If the login is an non-interactive user utilized to perform utility tasks (e.g. running running maine scripts on remote servers), then yes, you would probably generate the key for that user manually. Of course, that has its own security implications, but that's another story.
-
Ram over 12 yearsWhy specify the DSA?
-
Rilindo over 12 yearsWhoops, force of habit. Let me update.
-
Shadur over 12 years@Rilindo
ssh -i
to a private key for a non-privileged process is how I handle more than a few automated rsync backup processes. :) -
User over 8 years
users
oruser's
-
simonalexander2005 over 8 yearsnote also that
-f
just creates a file with that name - as @Alex says in his answer, there is no user information in SSH keys -
Peter Green over 8 yearsyou should be using rsa (or possiblly one of the eliptic curve variants). dsa is limited to insecure keysizes. rsa1 is a legacy format for ssh1 which noone should be using anymore.
-
sebnukem almost 8 yearsThat's the correct answer.
-
FreeSoftwareServers over 7 yearsI just test and confirmed, not only is it just a comment, but it can be removed and keys still function. I always thought it mattered! Thanks for giving the correct answer. Like the comments above, I have a reason for creating keys for other users, but i wont say why, so theres no argument.
-
Nyxynyx over 6 yearsLink is dead...
-
Rilindo over 6 years@JonathanLeaders You would specify the shell for the user when becoming that user. Something like this: ``` [root@ip-10-254-41-211 ~]# grep ftp /etc/passwd ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin [root@ip-10-254-41-211 ~]# su - ftp su: warning: cannot change directory to /var/ftp: No such file or directory This account is currently not available. [root@ip-10-254-41-211 ~]# su -s /bin/bash ftp bash-4.2$ whoami ftp bash-4.2$ ```
-
Jonathan over 6 years@Rilindo You can use pastebin.com for this sort of issue, sorry for the inconvenience
-
Hobin C. over 3 yearsThis username in the public key makes me think that username is encoded into the public key and the public key will be invalid if changing the username. Thanks a lot.