I've been trying to use ssh keys in order to be able to switch from one user to another user on the same Linux machine/server by using sudo su - username
.
What i want to do is: I have several accounts on one server. I want to lock those account with passwd -l username
, and allow access only with SSH keys, by ssh-ing from one user to the other on the same machine, eg, : [user1@server]$ ssh user2@server
I did this by copying the public key of user1
to the authorized_keys
file of user2
and it works fine.
But the other thing that i would like also to do, is to be able to sudo su - user2
from user1
, by using the ssh keys, so i can avoid the password prompting.
eg, [user1@server]$ sudo su - user2
I have modified the sshd_config file, and uncomment the fields:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
but still i am not able to do it.
I also tried what i found on the internet regarding agent forwarding, but nothing.
Can anyone help me on how to do this or point me to the right direction?
sudo
has nothing to do with SSH and sshd
config.
What you really want is a PAM module that will use SSH public keys. I'm not sure what are your reasons as the whole idea seems a bit strange, but, well. pam_ssh
is the module that does this.
To get sudo to work passwordless to another user these are the changes required (perform them with super user access):
edit /etc/sudoers
visudo
Config changes
# Allow user to sudo su as anyone without password
user ALL=(ALL) NOPASSWD: ALL
%group ALL=(ALL) NOPASSWD: ALL
# Allow user to become another user
user ALL=(user2) NOPASSWD: ALL
%group ALL=(user2) NOPASSWD: ALL
now with the latter sudo su - user2 should work
The only stumbling block was the user to be added to sudo group
usermod -a -G sudo user
The examples above in the config shows the user first then by group - you only need 1 of the two -
Edited:
visudo
%group2 ALL=(ALL:ALL) PASSWD: ALL
%group1 ALL=(ALL:ALL) NOPASSWD: ALL
add run group
groupadd group1
groupadd group2
so for users that require a password
usermod -a -G group2 user1
usermod -a -G group2 user2
etc..
for users that require no password:
usermod -a -G group nuser1
usermod -a -G group nuser2
etc
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.