About
In public key authentication, the authorized keys are the public keys used to verify the authentication of the client via the digital signature verification.
In a PKI model, once an SSH server or client receives a public key from a client or server and considers the key trustworthy, the server marks the key as authorized in its authorized_keys file.
The AuthorizedKeysFile keyword specifies the file containing public keys for public key authentication.
Format
The file contains a list of public keys, one per line.
Example for rsa and dss
ssh-rsa key key-comment
ssh-dss key key-comment
Example
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= ylo@klar
# Comments allowed at start of line
ssh-rsa AAAAB3Nza...LiPk== [email protected]
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa AAAAB2...19Q== [email protected]
command="dump /home",no-pty,no-port-forwarding ssh-dss AAAAC3...51R== example.net
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss AAAAB5...21S==
ssh-rsa [email protected]
zos-key-ring-label="KeyRingOwner/SSHAuthKeysRing uniq-ssh-rsa"
from="*.example.com",zos-key-ring-label="KeyRingOwner/SSHAuthKeysRing uniq-ssh-dsa"
- With configuration and command
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"packer\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAYRwgsk6fxOJYR6plf3Vcwu...
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"packer\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSQvCliGGSQkywgvFQjbhARqo0ZA....
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"hdsshadm\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA3NcgK9ScckgtWOlKD5MMIMBEpsEk3wDur4SUHlyg7Jb9PWPidU6gqT...
Management
Location
Default
If none is specified, the default is in the user's home directory:
- ~/.ssh/authorized_keys
- and ~/.ssh.authorized_keys2/.
This means that each user can add permanent credentials for themselves and/of for friends … :)
Conf
In the ssh server conf file, you can set it to a root place
Example:
AuthorizedKeysFile /etc/ssh/authorized-keys/%u
# or
AuthorizedKeysFile .ssh/sshd_config