Setting up SSH Authman - for server owners

How to add SSH Authman for users please see the article How to use SSH Authman - for users

Learn more about the SSH Authman service
View the referenced scripts and other configuration options
If you want to use authman off-campus, please submit a request for external access to the IST Help Portal.

If you have existing tooling in place for managing user SSH keys, you can retrieve a users ssh keys using the URL https://authman.uwaterloo.ca/keys/<username> (eg:https://authman.uwaterloo.ca/keys/myuserna)

Step-by-step guide

Select a script option, either python or bash with or without cache.

This example is using bash/with_cache.sh (https://git.uwaterloo.ca/authman/authman-scripts/-/blob/main/bash/with_cache.sh) from the referenced scripts as authman_command_cache.sh

Create ssh cache directory (as root)

mkdir /var/ssh_cache
chown nobody:(root group) /var/ssh_cache
chmod 750 /var/ssh_cache

In /etc/ssh/sshd_config

Copy the selected script to /usr/local/bin/authman_command_cache.sh

Make changes to the script

chown root:nogroup /usr/local/bin/authman_command_cache.sh
chmod 750 /usr/local/bin/authman_command_cache.sh

Ensure the following lines

AuthorizedKeysCommand /usr/local/bin/authman_command_cache.sh
AuthorizedKeysCommandUser nobody

You can put this under a match clause if you wish to restrict it to specific users/groups. For example:

Or, negate it for specific users/groups

After making modifications to /etc/ssh/sshd_config ensure that you reload the configuration. The method used depends of your system.

IST Knowledge Base

Setting up SSH Authman - for server owners

Step-by-step guide

Related articles