Operating System - HP-UX
1748176 Members
4271 Online
108758 Solutions
New Discussion юеВ

SSH for different users with one $HOME

 
Romana
Occasional Advisor

SSH for different users with one $HOME

Hi,
can anyone tell me, what is the best way to configure ssh for 2 different users user1 and user2 having the some homedirectory on a server. (both hpux 11.11)

user1@client1# ssh user1@server
user2@client1# ssh user2@server

In the moment it works only for the owner of $HOME by using id_dsa.pub and authorized_keys.
Is there hostbased authentication the correct way and how is this to configure?

thanks
Romana
3 REPLIES 3
Steven Schweda
Honored Contributor

Re: SSH for different users with one $HOME

> [...] the best way [...]

That depends. Are you talking about an SSH
client or server?

As a client, one way may be to make at least
one of the users use "ssh -i". As
"ssh -h" says:

-i file Identity for public key authentication (default: ~/.ssh/identity)

"man ssh" adds more detail.

Hostbased authorization may be another way to
solve the problem. I don't use it, so I'd
need to read more before offering advice on
how to configure it.

Ralph Grothe
Honored Contributor

Re: SSH for different users with one $HOME

This is very bad that two users share the same HOME from sshd's security standpoint.

You might try to edit sshd_config on the server with the users' shared HOME,
and add this entry

StrictModes no

and reinitialize the sshd by

# kill -1 $(UNIX95= ps -C sshd -o pid= -o ppid=|awk '$2==1{print$1}')

or

# kill -1 $(cat /var/run/sshd.pid)


Then retry.

But this is an ugly degradation of security and should generally be avoided.
Madness, thy name is system administration
Matti_Kurkela
Honored Contributor

Re: SSH for different users with one $HOME

According to the source code of openssh-4.3p2, the authorized_keys file and all components of the path to it (i.e. /, /home, /home/userdir, /home/userdir/.ssh) must be owned by either the user that is trying to log in _or root_, and must not be group or world writable.

(The check is made in openssh-/auth.c file, if you need more details.)

This means the shared home directory cannot be writable by either user, but it may contain sub-directories that are writable by either or both users.

Without knowing more about your requirements, it's hard to say which is the "best" or "correct" way.

MK
MK