-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Sep 23, 2016 at 04:41:00PM +0000, Stephan Beck wrote: > Thank you very much, Tomás.
glad to help. [...] > But once my user's (in your terminology, steph's) public key is in the > test account's authorized_keys file, user steph can login without > superpowers, by presenting the private part of the key (well ssh-agent > does it, if I understand things correctly), can't I? That's how it's supposed to work (strictly speaking it doesn't present the private part of the key, but just a *proof* that it is in control of said private part, which the host account (test) can check). The ssh-agent is just in charge of keeping unlocked private keys around so that you only have to unlock them with your passphrase once per session. > My great mistake was to think that localhost, although being on the same > machine, acts as a somewhat separated server and for that reason the > public keys of all users have to be deposited physically, in a sort of > directory structure within localhost (not in the user's directory),as it > is the case on a remote server. But, as Greg made very clear, I'm > already on the same machine. That was the conceptual mistake I made. Exactly: the authorized_keys is a per-account thing, meaning "whoever has the private key corresponding to *this* public key is allowed to log in as me". Note that you even can restrict what commands are allowed for each private key -- a "backup" user would only be allowed to invoke a specific backup script at login, for example. > > (the chown just in case authorized_keys didn't exist before). [...] > > - creating the user's home directory from a prepared skeleton > > already containing an "authorized_keys" as you need it > > Ah, that would be fine, but I guess, this time it has to be the hard > way, by typing, without prepared skeletons. And it would only make sense if you go "industrial", as in "every user on this box shall allow the user "backup" to invoke the per-user backup script" or some such. I haven't needed that. Just a copy (or an ssh-copy-id, if at he beginning the password access is available). Regards - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlfmh/cACgkQBcgs9XrR2ka8lwCdEDbXPQ4Rhr24DmzstfbuzThD LoIAn1BE33kb23NvEPuidLvc7NxAUnN5 =qpNT -----END PGP SIGNATURE-----
