SSH key authentication

[Linux-Us]

Hello,
I want to make an SSH server which only allows identification by DSA or RSA key and thus prevent connections password . I know how to implement this but I have a question: how users will be able to put their public key in their "authorized_keys" if denied access to their accounts from outside. Should they ask an admin to their public key in their "authorized_keys"? or so it's the admin who generates the key pair, send them to the user and made the necessary changes in the "authorized_keys". Thank you in advance

[Snake08]

Hi
In any case you can ask the admin to generate the key pair! This is contrary to the very foundations of security. It would request the admin to generate a password of 20 characters including numbers, letters and symbols to set password for users and prevent them from change. It avoids the crude forcing, but security level is zero, because your users will be compelled to note something somewhere, moreover, they did not hand over development, and necessarily so admin knows their key. So it's necessarily the user to generate its own keys.
From that moment, I only see 3 solutions:
1. allow login by user / pass standard for a certain period (eg one week), giving each connection the user must put a key in authorized_keys to be able to connect after this period. At the end of the period, disable access pass.
2. achieve any script (perl, php, ksh ...) that can update a remote key in one way or another.
3. leave access open ftp somewhere (with a user can). Users will file a <login> _authorized_keys file and a script that scans the file and updates the files of each user based

[Linux-Us]

Hey,
Thank you for your answers. By cons I do not understand how the fact that the administrator creates the key itself forces the user has noted anything. A key is a single file that is in sound. Ssh /. By cons I agree that this is not a method normally super users have their own personal key (single or small number).

[Snake08]

Hello

By cons I do not understand how the fact that the administrator creates the key itself forces the user has noted anything.

In general, a key is associated with a pass phrase for extra security. If you need any more information then please do post back.

[Big Fish]

Hi

In general, a key is associated with a pass phrase for extra security.

Usually what we see in the real world:
1. If the SSH key is used frequently by a human, the password becomes a nuisance and ultimately users invent ways for it be given automatically via, for example, expect scripts or other tools (especially if said user needs to connect to many different machines) and this password is thereby in clearly somewhere in the system.

2. If the SSH key must be used for automated tasks the password becomes a hindrance and so is either not used at all or it is bypassed by the same means of automation.

Have a password on an SSH key is useful if you travel with your keys on a removable device (eg USB key, laptop ...) that can easily be lost or stolen. If you want to further increase security, you can specify server-side IP addresses which can connect the different keys (for range if you log dynamic addresses ) and then do from = "*" as the keys protected by password.

[Snake08]

Hi
Certainly, but it is better to use key + password, a single key or password only, that was the purpose of my remark. After it is on that except to use biometrics, ordinary users will always tend to choose a weak password, but the fact of associating a key somewhat reduces the risk.