22.5. Managing Public SSH Keys for Users

download PDF
Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use ssh to log into an IdM machine without using Kerberos credentials. If pam_krb5 is configured properly or if SSSD is used as the IdM server's identity provider, the user also receives a Kerberos ticket-granting ticket (TGT) after login; see the section called “Obtaining Kerberos Tickets Automatically” for more details.
Note that users can still authenticate by providing their Kerberos credentials if they are logging in from a machine where their private SSH key file is not available.

Caching and Retrieving SSH Keys Automatically

During an IdM server or client installation, SSSD is automatically configured on the machine to cache and retrieve user and host SSH keys. This allows IdM to serve as a universal and centralized repository of SSH keys.
If the server or client was not configured during installation, you can configure SSSD on the machine manually. For information on how to do this, see Section 22.6, “Configuring SSSD to Provide a Cache for the OpenSSH Services”. Note that caching SSH keys by SSSD requires administrative privileges on the local machines.

SSH Key Format Requirements

IdM accepts the following two SSH key formats:
OpenSSH-style key
See RFC 4716 for more details about this format.
Raw RFC 4253-style key
See RFC 4253 for more details about this format.
Note that IdM automatically converts RFC 4253-style keys into OpenSSH-style keys before saving them into the IdM LDAP server.
A key file, such as, consists of three parts: the key type, the key itself, and an additional comment or identifier. In the following example, the key type is RSA and the comment associates the key with the host name:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMM4xPu54Kf2dx7C4Ta2F7vnIzuL1i6P21TTKniSkjFuA+r
When uploading a key to IdM, you can either upload all three key parts, or only the key itself. If you only upload the key itself, IdM automatically identifies the key type, such as RSA or DSA, from the uploaded key.

22.5.1. Generating an SSH Key

You can generate an SSH key using the OpenSSH ssh-keygen utility. The utility displays information about the location of the public key. For example:
$ ssh-keygen -t rsa -C
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|     + .         |
|    + =   .      |
|     =   +       |
|    . E S..      |
|   .    . .o     |
|    . .  . oo.   |
|   . o .  +.+o   |
|    o  .o..o+o   |
To upload an SSH key for a user, use the public key string stored in the displayed file.

22.5.2. Uploading User SSH Keys Web UI: Uploading User SSH Keys

  1. Select Identity Users.
  2. Click the name of the user to edit.
  3. Under the Settings tab in the Account Settings area, click SSH public keys: Add.

    Figure 22.9. SSH public keys in the Account Settings

    SSH public keys in the Account Settings
  4. Paste in the Base 64-encoded public key string, and click Set.

    Figure 22.10. Pasting in the Public Key

    Pasting in the Public Key
  5. Click Save at the top of the page. Command Line: Uploading User SSH Keys

Use the ipa user-mod command and pass the Base 64-encoded public key string using the --sshpubkey option.
For example, to upload the key type, the key itself, and the host name identifier:
$ ipa user-mod user --sshpubkey="ssh-rsa AAAAB3Nza...SNc5dv=="
To upload multiple keys, use --sshpubkey multiple times. For example, to upload two SSH keys:
--sshpubkey="AAAAB3Nza...SNc5dv==" --sshpubkey="RjlzYQo...ZEt0TAo="
Instead of pasting the key string manually into the command line, you can use command redirection and point to the file containing the key. For example:
$ ipa user-mod user --sshpubkey="$(cat ~/.ssh/" --sshpubkey="$(cat ~/.ssh/"

22.5.3. Deleting User Keys

To delete an SSH key: Web UI: Deleting User SSH Keys

  1. Select Identity Users.
  2. Click the name of the user to edit.
  3. Under the Settings tab in the Account Settings area, click Delete next to the key you want to remove.

    Figure 22.11. Deleting User SSH Public Key

    Deleting User SSH Public Key
  4. Click Save at the top of the page. Command Line: Deleting User SSH Keys

To delete all SSH keys assigned to a user account, add the --sshpubkey option to the ipa user-mod command without specifying any key:
$ ipa user-mod user --sshpubkey=
If you only want to delete a specific SSH key or keys, use the --sshpubkey option to specify the key or keys you want to keep.
This command does not delete the SSH keys from the cache immediately. With the default cache timeout value (entry_cache_timeout = 5400), the keys remain in cache for one and a half hours.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.