Question
I currently have an SFTP server that when I create the user, I do not provide them SSH access to the system. User can only use port 22 for SFTP (filezilla, WinSCP, etc).
Recently we have the need for someone to log in to the SFTP server using a key. The only way that I know of, is to log on to the server as that user and run the ssh-keygen to make the key.
- Since I am not allowing the user to login, can I generate the key for the user as root?
- If so, can it be done in a way that doesn’t impact the root user from logging in or trying to use that key for login?
- How you arrange for… only SFTP + not SSH depends on how you have your machine configured?
Answer
As root, you become that user by using su - username -, then you can create the keypair but you would probably just need the public key from the user that tries to login. The user would create the keypair and supply you with their public key. You then copy that public key in the ~/.ssh/authorized_keys file so the user can sftp without entering a password.
Question 1: Since I am not allowing the user to login, can I generate the key for the user as root?
Answer 1: If you have SSH root access yourself, then you can generate a key for any user. But this would break the security.
Question 2: If so, can it be done in a way that doesn’t impact the root user from logging in or trying to use that key for login?
Answer 2: Yes. You just generate a new key, then provide the private key part to your sftp user. On a normal Unix, the user logs in as user and create a key pair in his root. But this also under mines the security in the normal SFTP scenario, as you can copy his private key.
Question 3: How you arrange for… only SFTP + not SSH depends on how you have your machine configured?
Answer 3: A user who wants to SFTP has to send us his public key. Easy way is to use /root/.ssh/authorized_keys syntax to limit the key to only be used by SFTP + no other program, like ssh.