/
Setting up SSH Authman - for server owners

Setting up SSH Authman - for server owners

How to add SSH Authman for users please see the article How to use SSH Authman - for users

If you have existing tooling in place for managing user SSH keys, you can retrieve a users ssh keys using the URL https://authman.uwaterloo.ca/keys/<username> (eg:https://authman.uwaterloo.ca/keys/myuserna)

Step-by-step guide

Select a script option, either python or bash with or without cache.

This example is using bash/with_cache.sh (https://git.uwaterloo.ca/authman/authman-scripts/-/blob/main/bash/with_cache.sh) from the referenced scripts as authman_command_cache.sh

Create ssh cache directory (as root)

mkdir /var/ssh_cache chown nobody:(root group) /var/ssh_cache chmod 750 /var/ssh_cache

In /etc/ssh/sshd_config

Copy the selected script to /usr/local/bin/authman_command_cache.sh

Make changes to the script

chown root:nogroup /usr/local/bin/authman_command_cache.sh chmod 750 /usr/local/bin/authman_command_cache.sh

On Redhat systems, use nobody instead of nogroup

Ensure the following lines

AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody

You can put this under a match clause if you wish to restrict it to specific users/groups. For example:

Match User rgoggin AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody Match Group istiss AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody

Or, negate it for specific users/groups

AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh AuthorizedKeysCommandUser nobody Match User root, git, www-data AuthorizedKeysCommand none Match Group postgres AuthorizedKeysCommand none

After making modifications to /etc/ssh/sshd_config ensure that you reload the configuration. The method used depends of your system.

systemctl reload sshd service sshd reload kill -HUP SSHDPID

Related articles

Need help?

Please submit support requests to this portal.

Article feedback

If you’d like to share any feedback about this article, please let us know.

 

Related content