Simplest way to set up new user with SSH access on remote host, given root access

Question

I am writing a tutorial on setting up Ceph the hard way, shell all the way.

I am not happy with the number of ssh commands it takes to connect to a remote host as root, create new user, then scp keys over... there must be a smarter, simpler way - especially on Ubuntu.

Here is the exact problem: local user FOO that has access to remote server with user ROOT needs to setup keys (and possibly the user as well) for user CEPH. Repeat n times with n remote hosts.

Any clever one-liners I am missing?

current steps:

scp -i digitalocean id_rsa.pub storage-1:/root
ssh -i digitalocean storage-1
useradd ceph
mkdir ~ceph/.ssh
cat id_rsa.pub >> ~ceph/.ssh/authorized_keys
chmod 700 ~ceph/.ssh
chmod 600 ~ceph/.ssh/authorized_keys 
chown ceph:ceph ~ceph/.ssh/authorized_keys 
chown ceph:ceph ~ceph/.ssh/
rm id_rsa.pub

Answer 1

Part of your problem lies in the creation of .ssh. What I'd do use use ssh-keygen, which will create it if doesn't exist and set permissions properly (and, of course, create a key pair for the user).

$ scp -i digitalocean id_rsa.pub storage-1:/tmp
$ ssh digitalocean storage-1 '
adduser --gecos "" --disabled-password  ceph
echo | sudo -u ceph ssh-keygen  -N "" -f ~ceph/.ssh/id_rsa 
sudo -u cp /tmp/id_rsa.pub ~ceph/.ssh/authorized_keys
'

Notes:

• use adduser instead of useradd - it creates a skeleton home directory, from /etc/skel.
• --gecos "" and --disabled-password are used to avoid prompting. If you don't mind prompts for name and password, you skip these options.
• ssh-keygen can create .ssh with the right permissions
• Again, -N "" and -f ~ceph/.ssh/id_rsa are used to avoid prompts. You can skip these if you don't mind prompts for the key location (for which the default is fine) and if you wish to set a passphrase.
• Neither .ssh nor .ssh/authorized_keys need to have 700 as the mode. As long as only the owner can write to them, it's fine (755 for .ssh and 644 for .ssh/authorized_keys is just fine).

Answer 2

Because this is Digital Ocean, the problem can be addressed by setting userdata as part of the initial cloud instance bootup - the following will create a ceph user, put it in the sudoers group, and configure the SSH keys required to provide log in.

#cloud-config
users:
  - name: ceph
    groups: sudo
    shell: /bin/bash
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh-authorized-keys:
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf0q4PyG0doiBQYV7OlOxbRjle026hJPBWD+eKHWuVXIpAiQlSElEBqQn0pOqNJZ3IBCvSLnrdZTUph4czNC4885AArS9NkyM7lK27Oo8RV888jWc8hsx4CD2uNfkuHL+NI5xPB/QT3Um2Zi7GRkIwIgNPN5uqUtXvjgA+i1CS0Ku4ld8vndXvr504jV9BMQoZrXEST3YlriOb8Wf7hYqphVMpF3b+8df96Pxsj0+iZqayS9wFcL8ITPApHi0yVwS8TjxEtI3FDpCbf7Y/DmTGOv49+AWBkFhS2ZwwGTX65L61PDlTSAzL+rPFmHaQBHnsli8U9N6E4XHDEOjbSMRX f2@digitalocean

I still believe there should be a smart way to do this not involving the cloud fabric.

Answer 3

I found a more generic solution by modifying the answer to this question to accomplish this while logging in as another user:

 cat ~/.ssh/id_rsa.pub | ssh root@storage-1 'useradd ceph; umask 0077; mkdir -p ~ceph/.ssh; cat >> ~ceph/.ssh/authorized_keys && echo "Key copied"'

Answer 4

You can use ssh-copy-id to transfer your SSH key to a remote host.

Example:

mallard@steamroller:~$ ssh-copy-id mallard@puter
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'mallard@puter'"
and check to make sure that only the key(s) you wanted were added.

It automatically creates directories (such as .ssh) and sets them to the correct permissions.