RHEL 6.8, i have a user locally authenticated and not entirely certain if that user has setup key based logins already from another node to connect to the node in question.
I'm thinking of regenerating the ssh keys for the user in order to prevent him from logging in using the previously setup keys.
I have "root" access to the node. What's the best way forward to restrict the key based login that would have been set but to keep the same account for other services which we currently use the account for.
By default, the list of keys that a user can use to log in to any particular node is stored in
$HOME/.ssh/authorized_keys
on the node being logged into.The private key that the user uses to make connections is stored in the node which originates the connection.
If you want to prevent a user logging in using a particular key, you can simply remove it from their
authorized_keys
file. But be aware that the user can always put it back themselves, if they can log in to that node or otherwise access that file. You can also change the path to the authorized keys file by settingAuthorizedKeysFile
in/etc/ssh/sshd_config
to a file which the user cannot access. But keep in mind that this will apply to all users.As for determining how a user authenticated, that information is in your log file
/var/log/secure
. For example:If you want to control which keys are used for login you should control the file listing the authorized keys, so you should not let users control it. Instead of mucking with files in users directories, you should use the appropriate ssh configuration items that would work, such as:
AuthorizedKeysCommand
: a program acting as a filter on keys to be usedAuthorizedKeysFile
: file in which to get keys authorized to use, you can specify an absolute path, outside of user controlled directoriesAlso, not understanding 100% of your use case, but you may have a look at certificates instead of keys because with certificates you can provide a validity period and make sure that some credentials will expire. See the
-V
option ofssh-keygen
.The user can edit her own authorized_keys file so, whatever changes you make can be undone. To prevent that, you can change the authorized_keys file to be read-only for the user then change the directory and file attributes to make them immutable. This will prevent the user from making changes to the authorized keys file but still allow her to login.
Steps
e.g assume username is "hogan" and logged in as root: