SSH: one authorized_keys for multiple service accounts

Solution 1:

You can use the AuthorizedKeysFile directive in /etc/ssh/sshd_config to do this. The defaut location is .ssh/authorized_keys but you could use something which contained an absolute path e.g.

AuthorizedKeysFile /path/to/your/keyfile

the man pages says this


Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal ’%’, %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user’s home directory. The default is “.ssh/authorized_keys”.

Solution 2:

Edit: You should upvote @Iain's answer above. It is complete and accurate. My answer below is geared towards shared private keys - clearly a misunderstanding on my part. I'll leave this answer here, since I consider it a valuable piece of information, just not for this specific question.

I don't know your use-case, but I'm tempted to say "you're doing it wrong."

Each user should have their own kepair. That way, when a user leaves, is transferred, promoted to a management role, or anything else that requires revocation of rights, you just revoke that one key. This also makes effective auditing much, much harder.

If you need users to be able to impersonate other users, they should be configured to do so with sudo. Having shared SSH keys is normally not a good idea.

Solution 3:

Your administrators should use and appropriate (for your environment) combination of sudo and su.

ssh is not the right tool for this.

Contradictory Edit (Sorry, looks like I suffered from title blindness. Thank you Zoredache):

Put all of the service accounts in the same group, use that group as part of a Match block in sshd_config specify the AuthorisedKeysFile you want them all to use. (The match group is so that all accounts are not effected.) They will, however, no longer have individual AuthorisedKeysFiles. openssh-lpk may allow the individual accounts to have their own keys in addition, but I'm not sure about that.