How to Generate SSH Keys for Another User as Root: A Secure Admin Guide


3 views

When administering Linux systems, you might need to generate SSH keys for other users while logged in as root. The correct approach involves more than just editing file ownership after generation - it requires proper context and permissions handling from the start.

Instead of generating as root and modifying files, use sudo to create keys directly with the target user's context:

sudo -u username ssh-keygen -t ed25519 -C "user@hostname" -f /home/username/.ssh/id_ed25519

This method properly handles:

  • File ownership assignments
  • Directory permissions (critical for SSH security)
  • User context during key generation

Let's create RSA keys for user "webadmin":

# Create .ssh directory if missing
sudo -u webadmin mkdir -p /home/webadmin/.ssh

# Set correct permissions
sudo -u webadmin chmod 700 /home/webadmin/.ssh

# Generate the key pair
sudo -u webadmin ssh-keygen -t rsa -b 4096 -C "webadmin@production" -f /home/webadmin/.ssh/id_rsa

# Verify permissions
sudo -u webadmin ls -la /home/webadmin/.ssh/

Simply running ssh-keygen as root and editing files can cause:

  • Incorrect file permissions (SSH is very particular about this)
  • Potential SELinux context issues
  • Missing proper user environment during generation

For existing keys you need to reassign:

# Copy public key
sudo cp /root/.ssh/id_rsa.pub /home/webadmin/.ssh/authorized_keys

# Fix ownership and permissions
sudo chown webadmin:webadmin /home/webadmin/.ssh/authorized_keys
sudo chmod 600 /home/webadmin/.ssh/authorized_keys

For bulk user key creation:

#!/bin/bash
USERS=("user1" "user2" "user3")

for USER in "${USERS[@]}"; do
    HOME_DIR=$(getent passwd "$USER" | cut -d: -f6)
    sudo -u "$USER" mkdir -p "$HOME_DIR/.ssh"
    sudo -u "$USER" chmod 700 "$HOME_DIR/.ssh"
    sudo -u "$USER" ssh-keygen -t ed25519 -f "$HOME_DIR/.ssh/id_ed25519" -N "" -q
    echo "Created SSH keys for $USER"
done

When you need to create SSH keys for another user while logged in as root, directly modifying the generated files isn't the recommended approach. The proper method involves using ssh-keygen with the correct permissions and ownership.

Here's the correct procedure to generate SSH keys for another user:

# First create the target user's .ssh directory if it doesn't exist
mkdir -p /home/targetuser/.ssh
chown targetuser:targetuser /home/targetuser/.ssh
chmod 700 /home/targetuser/.ssh

# Generate the keypair as root
ssh-keygen -t rsa -b 4096 -f /home/targetuser/.ssh/id_rsa

# Fix permissions
chown targetuser:targetuser /home/targetuser/.ssh/id_rsa*
chmod 600 /home/targetuser/.ssh/id_rsa
chmod 644 /home/targetuser/.ssh/id_rsa.pub

Another clean approach is to switch to the target user:

su - targetuser -c "ssh-keygen -t rsa -b 4096"
# Or using sudo:
sudo -u targetuser ssh-keygen -t rsa -b 4096

Modifying the generated files manually can lead to:

  • Permission issues causing SSH to reject the keys
  • Potential security vulnerabilities
  • Improper key formatting that might break authentication

After generation, you'll typically want to deploy the public key:

cat /home/targetuser/.ssh/id_rsa.pub >> /home/targetuser/.ssh/authorized_keys
chown targetuser:targetuser /home/targetuser/.ssh/authorized_keys
chmod 600 /home/targetuser/.ssh/authorized_keys

Always test the new key pair:

sudo -u targetuser ssh -T git@github.com  # Example for GitHub
# Or for local testing:
sudo -u targetuser ssh localhost