作为我的后续行动以前的问题,我决定创建本地用户帐户如下。
adduser --system --no-create-home USERNAME
现在,我希望本地用户能够使用ssh.根据我的理解,ssh工作原理如下。
假设我有 2 台机器(比如说α和贝塔)。
- 从α机器:
ssh user@beta - 阿尔法的公钥将出现
~/.ssh/authorized_keys在贝塔机器。 - 阿尔法的私钥将出现
/~/.ssh在α机器。
现在我已经计划实施没有家为用户。所以假设我adduser进入贝塔没有任何用户的家的机器,我仍然能够 ssh 进入吗贝塔从α?
答案1
~/.ssh/sshd只是用于查找传入用户的公钥的默认位置。您可以sshd通过修改AuthorizedKeysFile中的指令来 配置要查找的位置和文件/etc/ssh/sshd_config。我的目前看起来像:
AuthorizedKeysFile %h/.ssh/authorized_keys
手册sshd_config页提供了更多细节:
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used for user authentication. The format is
described in the AUTHORIZED_KEYS FILE FORMAT section of sshd(8). AuthorizedKeysFile may contain tokens of
the form %T which are substituted during connection setup. The following tokens are defined: %% is
replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is
replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute
path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace.
The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
请注意,sshd用户authorized_key文件的权限非常特殊。如果您设置此选项并遇到登录问题,您需要密切关注日志。
答案2
AuthorizedKeysFile您可以创建一个无家可归用户分组并为其设置特定位置。
您只需要添加几行即可/etc/ssh/sshd_config/:
Match group homeless
AuthorizedKeysFile /etc/ssh/authorized-keys/%u
(%u是一个ssh 配置令牌在运行时扩展为本地用户名)
然后创建用户密钥:
sudo -u <username> bash -c "ssh-keygen -t ecdsa -b 256 -f /etc/ssh/authorized-keys/<username> -q -N ''"