ssh restrictions for user authentication
RHEL 6.8, i have a user locally authenticated and not entirely certain if that user has setup key based logins already from another node to connect to the node in question.
I'm thinking of regenerating the ssh keys for the user in order to prevent him from logging in using the previously setup keys.
I have "root" access to the node. What's the best way forward to restrict the key based login that would have been set but to keep the same account for other services which we currently use the account for.
By default, the list of keys that a user can use to log in to any particular node is stored in $HOME/.ssh/authorized_keys on the node being logged into.
The private key that the user uses to make connections is stored in the node which originates the connection.
If you want to prevent a user logging in using a particular key, you can simply remove it from their authorized_keys file. But be aware that the user can always put it back themselves, if they can log in to that node or otherwise access that file. You can also change the path to the authorized keys file by setting AuthorizedKeysFile in /etc/ssh/sshd_config to a file which the user cannot access. But keep in mind that this will apply to all users.
As for determining how a user authenticated, that information is in your log file /var/log/secure. For example:
# grep Accepted /var/log/secure
Nov 26 03:13:46 www sshd[13925]: Accepted password for user1 from 203.0.113.242 port 3481 ssh2
Nov 26 03:20:22 www sshd[14216]: Accepted publickey for dev2 from 198.51.100.21 port 64386 ssh2: RSA SHA256:...omitted...
If you want to control which keys are used for login you should control the file listing the authorized keys, so you should not let users control it. Instead of mucking with files in users directories, you should use the appropriate ssh configuration items that would work, such as:
-
AuthorizedKeysCommand: a program acting as a filter on keys to be used -
AuthorizedKeysFile: file in which to get keys authorized to use, you can specify an absolute path, outside of user controlled directories
Also, not understanding 100% of your use case, but you may have a look at certificates instead of keys because with certificates you can provide a validity period and make sure that some credentials will expire. See the -V option of ssh-keygen.
The user can edit her own authorized_keys file so, whatever changes you make can be undone. To prevent that, you can change the authorized_keys file to be read-only for the user then change the directory and file attributes to make them immutable. This will prevent the user from making changes to the authorized keys file but still allow her to login.
Steps
- Remove any keys that you don't want the user to user from the user's ~/.ssh/authorized_keys file.
- Add the new public key that you generated to the file
- chmod the authorized_keys file to 400 (readable only by owner)
- chattr +i the authorized_keys file (make it immutable so the user cannot change the privileges back to edit it)
- chattr +i the .ssh directory
e.g assume username is "hogan" and logged in as root:
#cd ~hogan/.ssh
#vim authorized_keys
[ do your edits and save ]
#chmod 400 authorized_keys
#chattr +i authorized_keys
#cd ..
#chattr +i .ssh