I know how each user can generate keys for themselves. How can I as an admin user generate it for them? The idea is to generate on the host and pass to them to be used from their client. The idea is to completely avoid allowing them to log in with passwords, not even once.
You can generate the keys for another user the exact same way.
You just write them into the appropriate place into the users home directory,
~/.ssh. Then set the permissions on the key files appropriately.
You can even login as different users using
su and run the same operation for all users?
I want to note that this isn’t a Fedora specific query—this is now bordering on general system administration, and there are dedicated channels for that where one would get much better help:
For example, this seems very close to your query:
I am not sure I follow. When I run
ssh-keygen it creates cert/key under the current user’s home directory
.ssh. How exactly do I generate for arbitrary other users?
ssh-keygen -f /path/to/keyfilename
Alternatively, you could use:
sudo -u username ssh-keygen
ssh-keygen simlply creates a file (the key). There is nothing contained within the file that explicitly links it to the user who created it. The only thing that links that key to a user is the fact that it is in that user’s
.ssh directory. Therefore, if you just move the key to another user’s
.ssh directory and change the permissions of it accordingly, that key will now be associated with that other user.
The user creating then new key should first move his own .ssh folder so it does not get overwritten, then create the key for the other user. That new .ssh folder can be relocated to the other user using
sudo mv .ssh /home/otheruser/ or equivalent, then the original .ssh folder restored for the original user.
Very simple process, and not user specific at all.
The admin user managing this could even keep copies of the key files identified by user for placing in other locations as needed. I do passwordless ssh between all the systems I use by copying my key files to each machine where I am authorized access.
sudo -u User1 ssh-keygen -t ed25519 -f /home/$USER/.ssh/id_ed25519 -N "" Generating public/private ed25519 key pair. Saving key "/home/root/.ssh/id_ed25519" failed: No such file or directory
sudo is not enough. It has to be
su User1 -c '...'
$USER with sudo.
It is as simple as
sudo -u username ssh-keygen -t ed25519. You don’t even need
-f if you use sudo.
Will it not ask to confirm the file name from console then?
If you need to use
-f to avoid the prompt, you can do it like this:
sudo -i -u username ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""