模板:USJ New SSH Users

Adding new SSH users

• On the server, create a second user account (that guest users can use for SSH purposes) with a password dissimilar to any other passwords (such as myjauntyguestpassword):

sudo useradd -m myjaunty00guest
sudo passwd myjaunty00guest
sudo mkdir /home/myjaunty00guest/.ssh
sudo chmod 777 /home/myjaunty00guest/.ssh

• Allow OpenSSH Password Authentication temporarily. Edit the OpenSSH configuration file:

sudo gedit /etc/ssh/sshd_config

and temporarily allow Password-based Authentication by changing the line:

PasswordAuthentication no

to

PasswordAuthentication yes

then restart the OpenSSH server:

sudo /etc/init.d/ssh restart

From the new Linux user's client computer:

ssh-keygen
scp -P 22199 ~/.ssh/id_rsa.pub myjaunty00guest@myjaunty00.dyndns.org:~/.ssh/id_rsa.pub

When prompted, of course, the guest password, myjauntyguestpassword, should be entered.

• Back on the server (logged in as the administrator jauntyadmin00), turn off the OpenSSH Password Authentication again:

sudo gedit /etc/ssh/sshd_config

Change the line:

PasswordAuthentication yes

to

PasswordAuthentication no

then restart the OpenSSH server:

sudo /etc/init.d/ssh restart

It is then usually best (for security reasons) to now change the guest password to something completely different:

sudo passwd myjaunty00guest

• Copy the new id_rsa.pub key to the myjaunty00admin folder and concatenate it to the authorized_keys file there:

sudo cp /home/myjaunty00guest/.ssh/id_rsa.pub /home/jauntyadmin00/.ssh/id_rsaguest.pub
sudo chown -R jauntyadmin00 /home/jauntyadmin00
cd ~/.ssh
cat authorized_keys id_rsaguest.pub >> authorized_keys

Note: this new /home/jauntyadmin00/.ssh/authorized_keys file should also be copied to /home/client9260/.ssh/authorized_keys and /home/text9260/.ssh/authorized_keys as detailed in the subsequent OpenVistA EHR section.

• If Windows-based PuTTY SSH users are to be added to the system, then see this tutorial. The SSH keys must be tweaked to be used with OpenSSH, copied to the server, and then concatenated to the authorized_keys file in a similar fashion.