I want to add a user to Red Hat Linux that will not use a password for logging in, but instead use a public key for ssh. This would be on the command line.
Asked
Active
Viewed 1.3e+01k times
73
-
useradd --password-disable and adduser --password disable. I've looked at the options for both and don't see password disable as an option for either. – user119776 Jun 17 '15 at 10:45
-
Do you know how to set up an ssh key login in general? I think the account just needs to not be locked, which would imply that there is some password active. It can be some long password that no one actually knows. – Micah Yoder Jun 17 '15 at 10:53
-
I have the key and know that I need to create the folder under user's directory and paste public portion there. I can try that way, but thought that I needed to disable the user password too. – user119776 Jun 17 '15 at 10:56
-
Rather than make another post showing you how to add a user, I agree with Lambert. You need to focus specifically on the part of this task you are having trouble with. If you don't know how to even add a user, you should start small and work your way up. I believe you only need to create the user, don't set any password, and put their key in /home/username/.ssh/authorized_keys. – Baazigar Jun 17 '15 at 18:06
4 Answers
87
Start with creating a user:
useradd -m -d /home/username -s /bin/bash username
Create a key pair from the client which you will use to ssh from:
ssh-keygen -t rsa
Copy the public key /home/username/.ssh/id_rsa.pub onto the RedHat host into /home/username/.ssh/authorized_keys
Set correct permissions on the files on the RedHat host:
chown -R username:username /home/username/.ssh
chmod 700 /home/username/.ssh
chmod 600 /home/username/.ssh/authorized_keys
Ensure that Public Key authentication is enabled on the RedHat host:
grep PubkeyAuthentication /etc/ssh/sshd_config
#should output:
PubkeyAuthentication yes
If not, change that directive to yes and restart the sshd service on the RedHat host.
From the client start an ssh connection:
ssh username@redhathost
It should automatically look for the key id_rsa in ~/.ssh/. You can also specify an identity file using:
ssh -i ~/.ssh/id_rsa username@redhathost
Stéphane Chazelas
- 522,931
- 91
- 1,010
- 1,501
Lambert
- 12,495
- 2
- 26
- 35
-
5Actually I did not forget about the password lock. Since I simply did not set it the password of the newly created user is automatically locked. – Lambert Jun 18 '15 at 05:53
-
9
-
1you realize the "ssh-keygen -t dsa" command will create keys for the current user, it might replace your own keys – yarun can Jun 25 '18 at 00:18
-
2Use `ssh-keygen -t ed25519` instead since this is the most recommended public-key algorithm available today – Frank Groot May 24 '22 at 08:41
-
1I make a mistake of thinking "into `authorized_keys`" meant that `authorized_keys` was a folder. It's actually a file! Hopefully this helps someone. – Aaron Franke Oct 14 '22 at 04:05
31
On Ubuntu you can add the user with:
adduser --disabled-password <username>
Then create .ssh/authorized_keys file in their home directory with their public key.
Mitar
- 636
- 6
- 8
13
You could use:
usermod --lock <username>
From the man page:
Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password. You can't use this option with -p or -U. Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.
Paul Mitchell
- 151
- 3
2
Complete script (<SSH_PUB_KEY> is in format of ssh-rsa …):
NEW_USER=newuser
sudo adduser --disabled-password "$NEW_USER"
sudo -i -u "$NEW_USER"
# now you are under the new user's shell
cd
mkdir -p .ssh
chmod 0700 .ssh
echo "<SSH_PUB_KEY>" > .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
I was looking for a script that I can fearlessly run creating a new user with proper SSH permissions, so if you do too, I believe this should help you :)
Kusalananda
- 320,670
- 36
- 633
- 936
Anton Bryzgalov
- 121
- 5