When administering servers with multiple service accounts, maintaining individual authorized_keys files becomes tedious. Each time you need to add or revoke an administrator's access, you must update numerous files across different home directories.
The sshd_config file allows specifying multiple authorized_keys locations through the AuthorizedKeysFile directive. The default is:
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
We can extend this to include a centralized location:
AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
1. Create a directory for shared keys:
sudo mkdir -p /etc/ssh/authorized_keys
2. Set appropriate permissions:
sudo chmod 755 /etc/ssh/authorized_keys
3. Create user-specific key files (optional):
sudo touch /etc/ssh/authorized_keys/user1 sudo touch /etc/ssh/authorized_keys/user2
For more granular control, combine with Match directives in sshd_config:
Match Group admins
AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/global_keys/admins
Match Group developers
AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/global_keys/devs
Here's a complete example for managing web service accounts:
# /etc/ssh/sshd_config AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/shared_keys/%u # Create shared keys directory sudo mkdir -p /etc/ssh/shared_keys sudo chmod 755 /etc/ssh/shared_keys # Add keys for apache user echo "ssh-rsa AAAAB3N... admin1@workstation" | sudo tee /etc/ssh/shared_keys/apache echo "ssh-rsa AAAAB3N... admin2@workstation" | sudo tee -a /etc/ssh/shared_keys/apache # Restart SSH sudo systemctl restart sshd
- Set strict permissions (600 for key files, 755 for directories)
- Regularly audit who has access to the centralized location
- Consider using
command=restrictions in the shared keys file - Monitor authentication logs for unexpected access patterns
For dynamic key management, use a script:
# /etc/ssh/sshd_config AuthorizedKeysCommand /usr/local/bin/get_auth_keys.sh %u %k %t AuthorizedKeysCommandUser nobody
Example script:
#!/bin/bash
USER=$1
# Check local keys first
if [ -f "/home/$USER/.ssh/authorized_keys" ]; then
cat "/home/$USER/.ssh/authorized_keys"
fi
# Add shared admin keys
if grep -q "$USER" /etc/ssh/admin_users; then
cat /etc/ssh/shared_admin_keys
fi
Managing SSH keys across multiple service accounts becomes increasingly complex as infrastructure grows. While the standard approach involves copying public keys to each user's ~/.ssh/authorized_keys file, this creates maintenance headaches when dealing with dozens or hundreds of accounts.
The SSH daemon provides configuration options that allow centralized key management through the AuthorizedKeysFile directive in /etc/ssh/sshd_config:
# Example configuration for shared authorized_keys
Match Group admins
AuthorizedKeysFile /etc/ssh/authorized_keys/%u /etc/ssh/authorized_keys/admins_shared
Match Group developers
AuthorizedKeysFile /etc/ssh/authorized_keys/%u /etc/ssh/authorized_keys/devs_shared
Match All
AuthorizedKeysFile %h/.ssh/authorized_keys
1. Create directory structure:
sudo mkdir -p /etc/ssh/authorized_keys sudo chmod 755 /etc/ssh/authorized_keys
2. Create shared key files:
sudo touch /etc/ssh/authorized_keys/admins_shared sudo touch /etc/ssh/authorized_keys/devs_shared sudo chmod 644 /etc/ssh/authorized_keys/*
For more granular control, combine with command= restrictions in the shared authorized_keys file:
# In /etc/ssh/authorized_keys/admins_shared command="/usr/bin/sudo -u $USER /bin/bash" ssh-rsa AAAAB3Nza... admin1@workstation command="/usr/local/bin/limit_session.sh" ssh-rsa AAAAB3Nza... admin2@laptop
- Set proper file permissions (600 for keys, 700 for directories)
- Regularly audit shared key files
- Consider combining with SSH certificates for better traceability
- Document all shared access in your security policy
For larger deployments, SSH certificates may provide better scalability:
# Generate CA key ssh-keygen -f ssh_ca -b 4096 # Sign user key ssh-keygen -s ssh_ca -I "admin_access" -n "user1,user2,user3" id_rsa.pub