Home / server / Questions / 330227
Accepted
kolypto
Asked: 2011-11-12 12:15:07 +0800 CST

System-wide authorized_keys

  • 772

SSH auth by RSA-key: ~/.ssh/authorized_keys. Okay.

Is there a way to set a system-wide authorized key so I can login to any account, including the newly created ones?

The reason: i've got a server and am the only admin. User accounts are used to isolate web-sites from each other just in case any of them is hacked.

I use SFTP and create new accounts often, thus, i'm tired of copying ~/.ssh/authorized_keys :)

linux ssh ssh-keys

3 Answers

  1. Best Answer

    To login to ANY account?

    As an administrator, it should be sufficient for you to login as yourself, and then sudo to the account, but ONLY if necessary.

    This approach is a serious security issue, as if that single key that you have for all accounts is stolen, then your system is fully compromised.

    I feel there are ethical considerations as you are not identifying yourself in any way that you are acting for the owner. Files might be personal. If one is not all that ethical, one could send emails as the account owner and it would not be traceable.

    • 7

  2. On most Linux systems, the /etc/skel directory is used to populate the home directory of any new account. If you add a .ssh directory with your authorized_keys file to /etc/skel then you will be able to login to any new account.

    For existing accounts, you can write a script to add your key to all of the authorized_keys files on the system.

    • 4

  3. Yes this is a generally bad idea to do because of security or ethical or organizational reasons but it is quite do-able by only modifying configuration files. The sshd_config(5) manpage has this to say about the AuthorizedKeysFile option:

     AuthorizedKeysFile
         Specifies the file that contains the public keys used for user
         authentication.  The format is described in the AUTHORIZED_KEYS
         FILE FORMAT section of sshd(8).  Arguments to AuthorizedKeysFile
         accept the tokens described in the TOKENS section.  After expan‐
         sion, AuthorizedKeysFile is taken to be an absolute path or one
         relative to the user's home directory.  Multiple files may be
         listed, separated by whitespace.  Alternately this option may be
         set to none to skip checking for user keys in files.  The default
         is ".ssh/authorized_keys .ssh/authorized_keys2".

    So all you have to do is set a line like this at the bottom of your /etc/ssh/sshd_config:

    AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /usr/local/etc/universal_authorized_keys

    And then populate the /usr/local/etc/universal_authorized_keys file with your personal SSH key(s) either manually or through some configuration management. You will have to restart sshd, of course.

    • 4