When you need to set up a user account to give a user shell access to the system, the only logical choice of login tool is OpenSSH. With SSH keys, all you need from the user is his SSH public key, and all he needs from you is the IP address or hostname with which to log in. Usually, this is sufficient.
In some cases, the user may need to know what his own password is. If he needs to use Sudo, he will need to authenticate with a password. Ideally, this information would be given via phone or encrypted e-mail, but more often than not, the password itself is handed out via plain-text e-mail.
The ideal situation would be to create the user account, obtain the user's public SSH key (which can be sent unencrypted as it does an attacker no good in and of itself), and generate a random password for the user to change once he logs into the system. This is all easily accomplished.
For the user, this is very easy. To create the private/public keypair, simply execute:
$ ssh-keygen -t dsa
You would then have him send the ~/.ssh/id_dsa.pub file. Server-side, things become more interesting, but certainly not difficult. First, you create the user account:
# useradd -c "Joe User" -s /bin/bash -m joe
# openssl rand -base64 6 | tee -a ~joe/.password | passwd -stdin joe
This will create the user joe, assign it a random password, and store the same password in ~joe/.password, where joe will be able to see it.
If you lock down accounts via /etc/ssh/sshd_config, remember to allow joe access to the system by adding:
Also, ensure that PasswordAuthentication is set to no as well, to force all logins to use public keys.
Finally, be sure to copy the id_dsa.pub key to the user's home directory and give appropriate ownership and permissions:
# mkdir ~joe/.ssh
# chmod 700 ~joe/.ssh
# cp id_dsa.pub ~joe/.ssh/authorized_keys
# chmod 600 ~joe/.ssh/authorized_keys
# chown -R joe:joe ~joe/.ssh
And that's all there is to it. Now the user can log in using his SSH private key and can access Sudo or whatever else may require an actual system password for authentication.
Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.