Setting up SSH Authman - for server owners

How to add SSH Authman for users please see the article https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/1551728653

Step-by-step guide

Select a script option, either python or bash with or without cache

Create ssh cache directory (as root)

1 2 3 mkdir /var/ssh_cache chown nobody:(root group) /var/ssh_cache chmod 750 /var/ssh_cache

In /etc/ssh/sshd_config

Example using bash/with_cache.sh as auth_command_cache.sh

Copy the selected script to /usr/local/bin/authman_command_cache.sh

Make changes to the script

1 2 chown root:nogroup /usr/local/bin/authman_command_cache.sh chmod 750 /usr/local/bin/authman_command_cache.sh

On Redhat systems, use nobody instead of nogroup

Ensure the following lines

1 2 AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody

You can put this under a match clause if you wish to restrict it to specific users/groups. For example:

1 2 3 4 5 6 7 Match User rgoggin AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody Match Group istiss AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody

Or, negate it for specific users/groups

1 2 3 4 5 6 7 8 AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody Match User root, git, www-data AuthorizedKeysCommand none Match Group postgres AuthorizedKeysCommand none

After making modifications to /etc/ssh/sshd_config ensure that you reload the configuration. The method used depends of your system.

1 2 3 4 5 systemctl reload sshd service sshd reload kill -HUP SSHDPID

Need help?

Please submit support requests to ist-iss-general@rt.uwaterloo.ca.

Article feedback

If you’d like to share any feedback about this article, please let us know.