Linux service account & SSH authorized_keys
Posted by r00g@reddit | linuxadmin | View on Reddit | 14 comments
If I create a service account for, say, automated web content updates and that account has no shell or home directory... where would you put an autorized_keys file for that user? I kind of hate creating a home directory for that sole purpose.
devnullify@reddit
Set up signed SSH keys and you won’t need an authorized_keys file.
r00g@reddit (OP)
You're the first one to offer a novel solution. I'd never played with ssh certificate authentication before. Very cool; thanks for the tip!
InItForTheHos@reddit
2 suggestions of going about that:
Create a homedir and have all serviceusers in a subdir of that: /home/sa/webdeploy /home/sa/foo
or
In sshd_config:
Match User sa-webdeploy
AuthorizedKeysFile /etc/ssh/webdeploy_authorized_keys
AxisNL@reddit
Nothing wrong with homedirs for service users? At least it’s stupid simple and default..
r00g@reddit (OP)
Thanks, I might stick with this. It just seems like clutter in the /home directory for a single file per user but there really doesn't seem to be a better place.
kai_ekael@reddit
Who says home has to be in /home? Set to what makes sense. Example, /var/lib/util for user 'util'.
nekokattt@reddit
and works with anything implementing XDG standards.
roiki11@reddit
Anywhere, really. Like a folder in /opt that's owned by the user. You then need to point the sshd config to the file.
r00g@reddit (OP)
This is what I was after. Glancing over the Filesystem Hierarchy Standard there doesn't really seem to be a good place for it. I mean, I put stuff in the wrong place all the time, like /opt/ for server-side web apps because they probably shouldn't go in in /var/www.. but still I like to do right where I can.
I guess there's not any harm in creating the user directory, it just seems unnecessary for one file.
roiki11@reddit
There's really no accepted way where to place things in linux. Sure they tried that once but it never took.
Making a home folder is just fine, I like keep application stuff in /opt but you have many apps that keep it in /var too.
Do what you like, basically.
th3endisneigh@reddit
This is the way I do it:
In /etc/ssh/sshd_config put AuthorizedKeysFile /etc/ssh/AuthorizedKeys/%u
And in /etc/ssh/AuthrorizedKeys (need to create it) you can put each user's ssh key. I also like to chown and chmod the file to be read only by user, and set user+group to owner of said key.
vi-shift-zz@reddit
https://serverfault.com/questions/313465/is-a-central-location-for-authorized-keys-a-good-idea
You can customize your sshd service to look in a specified directory for keys.
grumpysysadmin@reddit
You can use a Match section to set custom things per user. For example, I override the root user’s authorized keys path on my systems.
NL_Gray-Fox@reddit
At my previous job all our users were in LDAP (including service accounts).
AuthorizedKeysCommand
https://linux.die.net/man/5/sshd_config
Alternatively you can setup AuthorizedKeysFile
To point to the file