Best practice in implementing ssh-key based authentication
by X1C from LinuxQuestions.org on (#4TB9F)
We implemented ssh-key based authentication. But what happens now is that when we add a new user, we need to edit the sshd_confif file, set PasswordAuthentication=yes which allows the new user to upload the new user's public keys to /home/userX/.ssh. Then I restart the ssh service. In our case, the users are in different locations, and we don't know when they will upload their keys. That means, we make our servers "vulnerable" during that time, with only the password to rely on.
After the new user uploads his/her keys, we then set PasswordAuthentication=no and restart ssh service.
Some existing users who did not upload their keys before the transition (from password based to key based authentication) also now want to upload their keys, which again means we need to "open" the server for them so that they too can upload their keys.
I am sure sysads have managed hundreds and hundreds of users, if not thousands, smoothly, but how do they do it without this kind of interruption? Is there anyway to automate this process? For example, could I do something like:
(1) use key based authentication for users who have already uploaded their keys
(2) If new users are added, or for the existing users who have accounts, but who have not uploaded keys, let them copy their keys with regular password (for example, using ssh-copy-id), so that we do not make our system vulnerable by "opening" it.
(3) No need to edit sshd_config file and restart the ssh service each time.
Or... is it unavoidable?
After the new user uploads his/her keys, we then set PasswordAuthentication=no and restart ssh service.
Some existing users who did not upload their keys before the transition (from password based to key based authentication) also now want to upload their keys, which again means we need to "open" the server for them so that they too can upload their keys.
I am sure sysads have managed hundreds and hundreds of users, if not thousands, smoothly, but how do they do it without this kind of interruption? Is there anyway to automate this process? For example, could I do something like:
(1) use key based authentication for users who have already uploaded their keys
(2) If new users are added, or for the existing users who have accounts, but who have not uploaded keys, let them copy their keys with regular password (for example, using ssh-copy-id), so that we do not make our system vulnerable by "opening" it.
(3) No need to edit sshd_config file and restart the ssh service each time.
Or... is it unavoidable?