BlogBelow is the description of the simple, ssh based SSO for home or small office use.
Server side:
Authman is a secure user with no password-based access.
authman:*:990:0::0:0:SSH Key Manager:/opt/var/db/authman:/bin/sh
Home directory of authman contains authorized_keys file required to access server from another machine and per-user authorized_keys.u_dms file or per-host authorized_keys.h_akeno, that will be provided to a client.
:~authman/.ssh#ls -l -rw------- 1 authman wheel 397 Jul 15 20:36 authorized_keys -rw------- 1 authman wheel 6667 Jul 15 21:03 authorized_keys.h_akeno -rw------- 1 authman wheel 1838 Jul 15 21:07 authorized_keys.h_kodi -rw------- 1 authman wheel 6667 Jul 15 20:37 authorized_keys.u_dms
To manage public keys, I use an additional directory that holds all required public keys and simple script (like this one: ssh_manager.py) to build per-host authorized_keys file.
:~authman/keys#ls -l -rw------- 1 root wheel 394 Jul 15 21:37 id_dsamersov_rsa.pub -rw------- 1 root wheel 394 Jul 15 21:38 id_ssamersova_rsa.pub
Client side:
In a /root/.ssh folder of a client we have:
akeno:.ssh#ls -l -rwx------ 1 root root 332 Jul 15 21:16 authorized_keys_cmd.sh -rw------- 1 root root 151 Jul 15 21:12 config -rw------- 1 root root 1823 Jul 15 20:39 id_authman_rsa
ssh config file:
Host mircat.net home.mircat.net User authman IdentityFile ~/.ssh/id_authman_rsa
Script that acts as an agent authorized_keys_cmd.sh, my one implements one hour cashing, but one-liner also works fine. The name of user, that attempts to login is passed as script parameter by sshd.
#!/bin/sh
user="nobody"
hostname=hostname
[ -n "$1" ] && user=$1
fn=find ~/.ssh -name "authorized_keys.${hostname}_tmp" -mmin -60
if [ -z ${fn} ]
then
scp authman@home.mircat.net:~/.ssh/authorized_keys.h_${hostname} ~/.ssh/authorized_keys.${hostname}_tmp
fi
cat ~/.ssh/authorized_keys.${hostname}_tmp
After testing the script locally, we finally go and modify /etc/sshd_config file and add to following lines
AuthorizedKeysCommand /root/.ssh/authorized_keys_cmd.sh AuthorizedKeysCommandUser root