Centralize authorized_keys file on Linux / Unix system

Authorized_keys are important files which has the information of public keys for public key authentication. By default location is ~/.ssh/authorized_keys. Here, ~ is users default home directory in system.
While working on SSH, we got requirement to centralize the authorized_keys of all users existing in system. In most of the system for SSH we use the OpenSSH package. Hence, the default location for SSH config file is /etc/ssh/sshd_config .
Centralizing the authorized_keys for all users is quite easy. We believe you already have some experience on public and private ssh key pairs, because for access user need SSH private key.

Step 1: List the users name exist in system

Gather the information of existing users from /etc/passwd file . Make a list of users to whom you want to give access in system with SSH key authentication method.
For example , I found some valid users from system like –
joe
mike
Joseph

Step 2 : Create a new directory

Create a new directory inside /etc/ssh . This we will use this directory for placing all users keys.
mkdir -p /etc/ssh/KEYS

Step 3: Edit the sshd_config file

Now we will edit the sshd_config file. We will edit AuthorizedKeysFile parameter in /etc/ssh/sshd_config file.
First take backup of /etc/ssh/sshd_config file. In case, if something goes wrong we can revert back by copying the backup file to original.
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +%F).backup
Quickly checking if AuthorizedKeysFile parameter exist in file.
egrep -v '^#|^$' /etc/ssh/sshd_config |grep AuthorizedKeysFile
If AuthorizedKeysFile parameter exist in system then edit in below given format or otherwise add below given line in /etc/ssh/sshd_config
AuthorizedKeysFile  /etc/ssh/KEYS/%u

Step 4: Create directories matches with user name

Create directories matches with user name whose authorized_keys file you want to centralize.
For root user , now we will centralize authorized_keys. Follow the given below steps 
mkdir -p /etc/ssh/KEYS/root
chown root:root /etc/ssh/KEYS/root
chmod  755 /etc/ssh/KEYS/root
touch /etc/ssh/KEYS/root/authorized_keys
chmod 644 /etc/ssh/KEYS/root/authorized_keys
chown root:root /etc/ssh/KEYS/root/authorized_keys
Get the public key content and paste in /etc/ssh/KEYS/root/authorized_keys file.
For reference, the ssh public key appear like this. Please take it as an example only.
ssh-key

Set centralized authorized_keys for all users
Just as we have completed in above steps, almost same step you have to follow for all users. For example, our user name is mike . Let’s set authorized_keys file for mike
mkdir -p /etc/ssh/KEYS/mike
chown mike:mike /etc/ssh/KEYS/mike
chmod  755 /etc/ssh/KEYS/mike
touch /etc/ssh/KEYS/mike/authorized_keys
chmod 644 /etc/ssh/KEYS/mike/authorized_keys
chown mike:mike /etc/ssh/KEYS/mike/authorized_keys
Get the public key content for user called mike and paste in /etc/ssh/KEYS/mike/authorized_keys file.
Same steps follow for each users. In case, you are good in scripting you can easily achieve this by using for..loop .

Step 5: Now reload the ssh service

In CentOS 7 / RHEL 7
systemctl reload sshd
In CentOS 6 / RHEL 6
service sshd reload
In Ubuntu / Debian 
sudo service ssh reload

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the  history_uint_new table First you need to de
Đọc thêm

Configuring DHCP Relay service on the FortiGate unit

Configuring DHCP Relay service on the FortiGate unit If the clients are configured to obtain a IP address using DHCP relay, configure the FortiGate server as below: To configure DHCP relay on the FortiGate unit   1. Go to System > Network > Interfaces and select Interface want to configure DHCP relay.   2. Enable DHCP Server in the interface and choose Advanced   3. For Mode, select Relay.   4. In Type select Regular.   5. Select OK.   6. If a router is installed between the FortiGate unit and the DHCP server, define a static route to the DHCP server. Note : Sometimes it is required to specify more than one DHCP relay IP, to allow for the coverage of additional LAN subnets. Although the Web Based Manager (GUI) does not provide an option to configure this, it is possible to set up to 8 IPs from the CLI.       config system interface             edit <REQUIRED_INTERFACE_HERE>               set dhcp-relay-ip <FIRST_IP> <SECOND_IP> ....<EIGHTH_IP&
Đọc thêm

Stuxnet Trojan - Memory Forensics with Volatility | Part I

Hình ảnh
Stuxnet could be the first advanced malware. It is thought that it was developed by the United States and Israel to attack Iran's nuclear facilities. It attacked Windows systems using a zero-day exploit and It was focused on SCADA systems in order to  affect critical infrastructures... Also, it may be spread from USB drivers. It is necessary a squad of highly capable programmers with depth of knowledge of industrial processes and an interest in attacking industrial infrastructure to develop this malware. Kaspersky Lab concluded that the sophisticated attack could only have been conducted "with nation-state support" and a study of the spread of Stuxnet by Symantec says that it was spread to Iran (58.85%), Indonesia (18.22%), India (8.31%), Azerbaijan (2.57%).... Thanks to Malware Cookbook we can download a memory dump from an infected host with this malware in the URL below:  http://www.jonrajewski.com/data/Malware/stuxnet.vmem.zip Ok, let’s go. We are going to analyze i
Đọc thêm