I have encountered this problem of adding a system user to access another system with only public ssh key countless times. Every time I finish adding the user and think this time I am going to write about it so that I don’t have to search for it in google and go down the rabbit hole.

Goal

This post focuses on how we can create a user without a password and yet make sure that we can log in with that user with only a public key. Let’s consider two systems, one running ubuntu 18.04 and another running centos 8. Now, the problem is that we want to create a system user with a home folder but without a password in centos 8 and this user must be able to log in from ubuntu 18.04. So, what we are looking for is that the following command will lend us in centos 8 –

testuser@ubuntu-18-04:~$ ssh centos-8

shall result in –

[testuser@centos-8:~]$

Install/Check SSH Service

Before we add desired user to the system, it’s always a good idea to check that ssh service is running or not. To check the ssh service in centos 8 use –

[serveradming@centos-8:~]$ sudo systemctl status sshd

This should return something like below –

● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-04-06 14:08:10 EDT; 17h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 26375 (sshd)
    Tasks: 1 (limit: 23976)
   Memory: 6.6M
   CGroup: /system.slice/sshd.service
           └─26375 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

If the service is in inactive state use the following command to start the service –

[serveradmin@centos-8:~]$ systemctl start sshd

Create User

At this point, we need to create the same user as the other (ubuntu-18-04) system. The user in both the system should be same. This will facilitate ssh centos-8 command login. Let’s consider the name of the user in both systems is testuser. To create this user with a home directory and without password use –

[serveradmin@centos-8:~]$ sudo useradd -m -s /bin/bash testuser

if the home directory needs to be a custom directory use -d flag as below – (assuming that the custom home folder should be /usr/lib/testuser/)

[serveradmin@centos-8:~]$ sudo useradd -m -d /usr/lib/testuser/ -s /bin/bash testuser

Once the user is created it’s time to add the ubuntu-18-04 the system’s user’s public key to authorized keys in centos-8.

Add Public key

Login to ubuntu-18-04 as testuser or change user to testuser with –

serveradmin@ubuntu-18-04~:$ sudo su testuser

Move to the home folder of the user and look for the .ssh folder. If ~/.ssh is not present then public and private key pair needs to be generated. Use the following to generate a key pair –

testuser@ubuntu-18-04~:$ ssh-keygen -t rsa -b 4096 -C "this comment can be anything to identify this key pair"

once the key pair is in place, use cat command to show the public key (in ~/.ssh)-

testuser@ubuntu-18-04~/.ssh:$ cat id_rsa.pub

Copy the content of this output and log back into – centos-8 system and change to testuser with –

[serveradming@centos-8:~]$ sudo su testuser

or

[serveradming@centos-8:~]$ su -
[root@centos-8:~]# su testuser

In the home directory there will be no .ssh directory for this user as we did not create any key pair. From here, we can go two ways – 1. create a key pair 2. create the directory without a key pair. Now create a file called autorized_keys in ~/.ssh and paste the content that we copied earlier and save it.

Change the permission

Now that the key is in place, it’s necessary for the ~/.ssh folder and files to have proper permission level, otherwise ssh will fall back to password based authentication. Change the permission as below (please see ssh official documentation if you need more info)-

[root@centos-8:~]# chown -R username:username user/home/dir/path
[root@centos-8:~]# chmod 700 userhome/.ssh
[root@centos-8:~]# chmod 600 userhome/.ssh/authorized_keys

Now if the user tries to ssh from ubuntu-18-04 with ssh centos-8 should be able to login to centos-8 directly. If public key authentication fails, try the following fix. In centos-8 system look for sshd_config in /etc/ssh/ and enable public-key authentication – open the file (with nano/vim) –

[root@centos-8:~]# nano /etc/ssh/sshd_config

and edit –

PubkeyAuthentication yes

Restart ssh service with –

[root@centos-8:~]# systemctl restart sshd

Enjoy!