How is a login via an ssh private/public key associated with a given user

Question

I've created the private/public key pair using ssh-keygen. I installed the public as described in https://help.ubuntu.com/community/SSH/OpenSSH/Keys

And it works without a password, as expected - but only when logging in to root. Logging in directly as root is obviously a bad idea.

But the question is, how is that key pair associated or restricted to a given userid? I wouldn't expect a user to be able to log into ANY account on a system simply by virtue of having the public key installed on a host...

Answer 1

The command:

ssh-copy-id  username@host

As documented in the link above does not work from mac. Therefore, I logged in as root and of course, that is where the key was installed.

The answer seems to be: If You log in as the user, then cat the public key to the ~/.ssh/authorized_keys file.

Answer 2

Every user has to transfer their public key to .ssh directory in their home directory.

I am a Regular User

Just follow a quickfix to get it work for your remote machine.

---

I secured by home directory with encryption

(Copied for https://help.ubuntu.com/community/SSH/OpenSSH/Keys)

If you have an encrypted home directory, SSH cannot access your authorized_keys file because it is inside your encrypted home directory and won't be available until after you are authenticated. Therefore, SSH will default to password authentication.

To solve this, create a folder outside your home named:

/etc/ssh/<username> (replace "<username>" with your actual username).

This directory should have 755 permissions and be owned by the user. Move the authorized_keys file into it. The authorized_keys file should have 644 permissions and be owned by the user.

Then edit your /etc/ssh/sshd_config and add:

AuthorizedKeysFile    /etc/ssh/%u/authorized_keys

Finally, restart ssh with:

sudo service ssh restart

The next time you connect with SSH you should not have to enter your password.