So I was at work and trying to figure out why I couldn't add another coworker's public key to ~/.ssh/authorized_keys for a particular server user--~/.ssh/authorized_keys didn't exist!
Turns out /etc/ssh/sshd_config had the line
AuthorizedKeysFile /etc/ssh/keys/%u.pub After speaking with our operations team about this, I realized a few advantages for doing it this way:
- Centrally managed, easy to update with either configuration management or even scp.
- If the files are owned by root, a user can't let another unauthorized user into the system. You ensure that only the keypair you've provisioned to a machine, for example, has access to the server. If another computer needs access to your server, you can control this: few people are going to share their private keys with someone else.
- Even if you're adding a user to one machine, it's a pain to add them, get their public key, su into that user or chown and chmod, paste their public key in their ~/.ssh folder, and review your changes.
- Centrally managed keys keep their pubkeys in one directory and disconnects user management from user authorization.
I will definitely be doing this moving forward.
[link][4 comments]