Red Hat Summit48.4. Managing public SSH keys for users
Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use SSH to log into an IdM machine without using Kerberos credentials. Note that users can still authenticate by providing their Kerberos credentials if they are logging in from a machine where their private SSH key file is not available.
48.4.1. Uploading SSH keys for a user using the IdM Web UI
Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use SSH to log into an IdM machine without using Kerberos credentials.
Prerequisites
- Administrator privileges for managing the IdM Web UI or User Administrator role.
Procedure
- Log into the IdM Web UI.
- Go to the Identity>Users tab.
- Click the name of the user to edit.
- In the Account Settings section, click the SSH public keys Add button.
- Paste the Base 64-encoded public key string into the SSH public key field.
- Click Set.
- Click Save at the top of the IdM Web UI window.
Verification
- Under the Accounts Settings section, verify the key is listed under SSH public keys.
48.4.2. Uploading SSH keys for a user using the IdM CLI
Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use SSH to log into an IdM machine without using Kerberos credentials.
Prerequisites
- Administrator privileges for managing the IdM CLI or User Administrator role.
Procedure
Run the
ipa user-modcommand with the--sshpubkeyoption to upload the base64-encoded public key to the user entry.$ ipa user-mod user --sshpubkey="ssh-rsa AAAAB3Nza...SNc5dv== client.example.com"Note in this example you upload the key type, the key, and the hostname identifier to the user entry.
To upload multiple keys, use
--sshpubkeymultiple times. For example, to upload two SSH keys:--sshpubkey="AAAAB3Nza...SNc5dv==" --sshpubkey="RjlzYQo...ZEt0TAo="To use command redirection and point to a file that contains the key instead of pasting the key string manually, use the following command:
$ ipa user-mod user --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_rsa2.pub)"
Verification
Run the
ipa user-showcommand to verify that the SSH public key is associated with the specified user:$ ipa user-show user User login: user First name: user Last name: user Home directory: /home/user Login shell: /bin/sh Principal name: user@IPA.TEST Principal alias: user@IPA.TEST Email address: user@ipa.test UID: 1118800019 GID: 1118800019 SSH public key fingerprint: SHA256:qGaqTZM60YPFTngFX0PtNPCKbIuudwf1D2LqmDeOcuA user@IPA.TEST (ssh-rsa) Account disabled: False Password: False Member of groups: ipausers Subordinate ids: 3167b7cc-8497-4ff2-ab4b-6fcb3cb1b047 Kerberos keys available: False
48.4.3. Deleting SSH keys for a user using the IdM Web UI
Follow this procedure to delete an SSH key from a user profile in the IdM Web UI.
Prerequisites
- Administrator privileges for managing the IdM Web UI or User Administrator role.
Procedure
- Log into the IdM Web UI.
- Go to the Identity>Users tab.
- Click the name of the user to edit.
- Under the Account Settings section, under SSH public key, click Delete next to the key you want to remove.
- Click Save at the top of the page.
Verification
- Under the Account Settings section, verify the key is no longer listed under SSH public keys.
48.4.4. Deleting SSH keys for a user using the IdM CLI
Follow this procedure to delete an SSH key from a user profile by using the IdM CLI.
Prerequisites
- Administrator privileges for managing the IdM CLI or User Administrator role.
Procedure
To delete all SSH keys assigned to a user account, add the
--sshpubkeyoption to theipa user-modcommand without specifying any key:$ ipa user-mod user --sshpubkey=-
To only delete a specific SSH key or keys, use the
--sshpubkeyoption to specify the keys you want to keep, omitting the key you are deleting.
Verification
Run the
ipa user-showcommand to verify that the SSH public key is no longer associated with the specified user:$ ipa user-show user User login: user First name: user Last name: user Home directory: /home/user Login shell: /bin/sh Principal name: user@IPA.TEST Principal alias: user@IPA.TEST Email address: user@ipa.test UID: 1118800019 GID: 1118800019 Account disabled: False Password: False Member of groups: ipausers Subordinate ids: 3167b7cc-8497-4ff2-ab4b-6fcb3cb1b047 Kerberos keys available: False
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}