4

I want to speed up creation of user accounts on some Linux VMs that I am creating, and wondered if I could simplify the process of writing to the new user's ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2 file.

My manual process is, approximately (logged in as the new user):

ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
touch ~/.ssh/authorized_keys
chmod go-rwx ~/.ssh/authorized_keys
echo '... me@machine' >> ~/.ssh/authorized_keys

Is there any way, with a Bash command, a standard GNU command, or any program easily installed on Ubuntu, to condense the touch, chmod, and echo into one command?

Part of the reason I would like to reduce it to one command is so that I can make a shell script that I can run as the initial sudo-capable user on the VM.

Something like:

sudo su - me -c 'ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa'
echo '... me@machine' | sudo su - me -c 'xyz 0600 ~/.ssh/authorized_keys'

Where xyz is the hypothetical command that creates, sets permissions, and writes the file all in one fell swoop.

amacleod
  • 207
  • Looks like maybe http://unix.stackexchange.com/questions/47178/can-files-be-created-with-permissions-set-on-the-command-line can help me. – amacleod Jan 20 '15 at 15:31
  • 1
    You can do echo '...' >> somefile without touch directly. To avoid using chmod set apropriate right for directory via umask or setfacl – Costas Jan 20 '15 at 15:37
  • @Costas, you are right, I can write the file first and then change its permissions. I will probably do that. Changing the directory permission would not reduce the number of commands, but only change the order. – amacleod Jan 20 '15 at 15:47
  • You change acl only one time but script can be invoked many times. – Costas Jan 20 '15 at 15:58
  • Ok. I am less familiar with umask. It is a built-in Bash command, right? Is setfacl from a different shell? If I want to only set umask for specific files, I think I should do it as Stéphane described, in a compound command, yes? – amacleod Jan 20 '15 at 16:47
  • You can read re access right utilites here. As for umask yes, the command sets file mode creation mask just for calling process, so see Stéphane's answer. – Costas Jan 20 '15 at 17:03
  • Not 100% related but because I found your question first when searching I'll link to my answer here: https://unix.stackexchange.com/a/573371/46158 – laktak Mar 17 '20 at 12:31

5 Answers5

18

Note that

touch ~/.ssh/authorized_keys
chmod go-rwx ~/.ssh/authorized_keys
echo '... me@machine' >> ~/.ssh/authorized_keys

offers no benefit over:

echo '... me@machine' >> ~/.ssh/authorized_keys
chmod go-rwx ~/.ssh/authorized_keys

Permissions are checked upon opening a file, not upon reading or writing to it.

So it doesn't matter whether you do the chmod before or after adding the content. Someone could still open the file before you do the chmod but wait for you to add content before reading it.

Here you want to make sure the file has the right permissions from the start:

sudo -Hu user sh -c '
  umask 077 && printf "%s\n" "$1" >> ~/.ssh/authorized_keys
' sh "$key user@host"

-H forces $HOME to be set to user's home directory (even on systems where sudo is configured not to do that by default), so that the sh it spawns expands ~ to that directory. You could also use ~user instead of ~.

Stéphane Chazelas
  • 544,893
2

I use the one-liner below to populate a newly created account with existing keys. It could be easily adapted to append content of existing file.

sudo -Hu user /bin/sh -ec 'umask 077; mkdir -p -- ~/.ssh; cat > ~/.ssh/authorized_keys' <<EOF
id-rsa AAAA...AA user@example.com
EOF
Stéphane Chazelas
  • 544,893
Andrey
  • 121
0

You might look into ssh-copy-id

Reference: 3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id

HalosGhost
  • 4,790
DannyK
  • 162
  • 1
    These links might be very helpful, but it is also strongly encouraged for answerers to in-line the most helpful bits of information from a given source link. – HalosGhost Jan 20 '15 at 20:36
0

For your specific example this is the best I could do.

ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa -y > ~/.ssh/authorized_keys && chmod 0600 ~/.ssh/authorized_keys

An important option was the -y flag for ssh-keygen which allows the public key to be printed to stdout which avoids two steps of creating and reading a file.

To create, set permissions, and write from an existing file you can use the install command

install -m 0600 ~/.ssh/id_rsa ~/.ssh/authorized_keys

The downside to the install command is that it does not work with redirection from stdout, meaning you have to copy the contents of an entire file.

John Gallucci
  • 1
  • That would suffer from the same gap between file creation and permission change as my original, right? I ended up using umask as Stéphane suggested. – amacleod Dec 09 '16 at 20:51
0

actually, install can help here

install -m 600 /dev/null ~/.ssh/authorized_keys

will replace combnation of touch and chmod.

And then

ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys

will add that key to the authorized_keys. Add sudo where needed.

stimur
  • 141