SSH based SSO for home use
Authman is a secure user with no password-based access.
authman:*:990:0::0:0:SSH Key Manager:/opt/var/db/authman:/bin/sh
Home directory of authman contains authorized_keys file required to
access server from another machine and
per-user authorized_keys.u_dms file or per-host
authorized_keys.h_akeno, that will be provided to a client.
:~authman/.ssh#ls -l-rw------- 1 authman wheel 397 Jul 15 20:36 authorized_keys-rw------- 1 authman wheel 6667 Jul 15 21:03 authorized_keys.h_akeno-rw------- 1 authman wheel 1838 Jul 15 21:07 authorized_keys.h_kodi-rw------- 1 authman wheel 6667 Jul 15 20:37 authorized_keys.u_dms
To manage public keys, I use an additional directory that holds all
required public keys and simple script (like this one: ssh_manager.py) to build per-host authorized_keys
file.
:~authman/keys#ls -l-rw------- 1 root wheel 394 Jul 15 21:37 id_dsamersov_rsa.pub-rw------- 1 root wheel 394 Jul 15 21:38 id_ssamersova_rsa.pub
In a /root/.ssh folder of a client we have:
akeno:.ssh#ls -l-rwx------ 1 root root 332 Jul 15 21:16 authorized_keys_cmd.sh-rw------- 1 root root 151 Jul 15 21:12 config-rw------- 1 root root 1823 Jul 15 20:39 id_authman_rsa
ssh config file:
Host mircat.net home.mircat.net User authmanIdentityFile ~/.ssh/id_authman_rsa
Script that acts as an agent authorized_keys_cmd.sh, my one
implements one hour cashing, but one-liner also works fine. The name of
user, that attempts to login is passed as script parameter by sshd.
#!/bin/sh
user="nobody"hostname=`hostname`
[ -n "$1" ] && user=$1
fn=`find ~/.ssh -name "authorized_keys.${hostname}_tmp" -mmin -60`if [ -z ${fn} ]then scp authman@home.mircat.net:~/.ssh/authorized_keys.h_${hostname} ~/.ssh/authorized_keys.${hostname}_tmpfi
cat ~/.ssh/authorized_keys.${hostname}_tmp
After testing the script locally, we finally go and modify
/etc/sshd_config file and add to following lines
AuthorizedKeysCommand /root/.ssh/authorized_keys_cmd.shAuthorizedKeysCommandUser root