© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
Verified for lunar and jammy:
# lxc launch ubuntu:jammy test-openssh-lunar
# lxc exec test-openssh-lunar bash
# cat <<EOF >/etc/apt/
# Enable Ubuntu proposed archive
deb http://
EOF
# apt update && apt dist-upgrade -y
# mkdir reproducer
# cd reproducer
# mkdir certuser keyonlyuser
# cd keyonlyuser
# ssh-keygen -t ed25519 -f key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key
Your public key has been saved in key.pub
...
# cd ../certuser/
# ssh-keygen -t rsa -f ca
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ca
Your public key has been saved in ca.pub
# ssh-keygen -t ed25519 -f key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key
Your public key has been saved in key.pub
# ssh-keygen -s ca -I key_id -n certuser key.pub
Signed user key key-cert.pub: id "key_id" serial 0 for certuser valid forever
# cd ..
# cat <<EOF >authorized_
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
EOF
# chmod 755 authorized_
# adduser --disabled-password otheruser
Adding user `otheruser' ...
Adding new group `otheruser' (1001) ...
Adding new user `otheruser' (1001) with group `otheruser' ...
Creating home directory `/home/otheruser' ...
Copying files from `/etc/skel' ...
Changing the user information for otheruser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
# adduser --disabled-password keyonlyuser
Adding user `keyonlyuser' ...
Adding new group `keyonlyuser' (1002) ...
Adding new user `keyonlyuser' (1002) with group `keyonlyuser' ...
Creating home directory `/home/keyonlyuser' ...
Copying files from `/etc/skel' ...
Changing the user information for keyonlyuser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
# cat <<EOF >authorized_keys
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo "ssh-ed25519 AAAAC3NzaC1lZDI
fi
EOF
# chmod 755 authorized_keys
# vi /etc/ssh/
i
AuthorizedKeysC
AuthorizedKeysC
AuthorizedPrinc
AuthorizedPrinc
TrustedUserCAKeys /root/reproduce
[esc]
:wq
# systemctl restart ssh
# ssh keyonlyuser@
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
Welcome to Ubuntu 23.04 (GNU/Linux 5.15.0-83-generic x86_64)
...
$ exit
# ssh otheruser@localhost -i /root/reproduce
Welcome to Ubuntu 23.04 (GNU/Linux 5.15.0-83-generic x86_64)
# lxc launch ubuntu:jammy test-openssh-jammy
# lxc exec test-openssh-jammy bash
# cat <<EOF >/etc/apt/
# Enable Ubuntu proposed archive
deb http://
EOF
# apt update && apt dist-upgrade -y
# mkdir reproducer
# cd reproducer
# mkdir certuser keyonlyuser
# cd keyonlyuser
# ssh-keygen -t ed25519 -f key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key
Your public key has been saved in key.pub
...
# cd ../certuser/
# ssh-keygen -t rsa -f ca
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ca
Your public key has been saved in ca.pub
# ssh-keygen -t ed25519 -f key
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key
Your public key has been saved in key.pub
# ssh-keygen -s ca -I key_id -n certuser key.pub
Signed user key key-cert.pub: id "key_id" serial 0 for certuser valid forever
# cd ..
# cat <<EOF >authorized_
#!/bin/sh
if [ "$1" = "otheruser" ]; then
echo certuser
fi
EOF
# chmod 755 authorized_
# adduser --disabled-password otheruser
Adding user `otheruser' ...
Adding new group `otheruser' (1001) ...
Adding new user `otheruser' (1001) with group `otheruser' ...
Creating home directory `/home/otheruser' ...
Copying files from `/etc/skel' ...
Changing the user information for otheruser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
# adduser --disabled-password keyonlyuser
Adding user `keyonlyuser' ...
Adding new group `keyonlyuser' (1002) ...
Adding new user `keyonlyuser' (1002) with group `keyonlyuser' ...
Creating home directory `/home/keyonlyuser' ...
Copying files from `/etc/skel' ...
Changing the user information for keyonlyuser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
# cat <<EOF >authorized_keys
#!/bin/sh
if [ "$1" = "keyonlyuser" ]; then
echo "ssh-ed25519 AAAAC3NzaC1lZDI
fi
EOF
# chmod 755 authorized_keys
# vi /etc/ssh/
i
AuthorizedKeysC
AuthorizedKeysC
AuthorizedPrinc
AuthorizedPrinc
TrustedUserCAKeys /root/reproduce
[esc]
:wq
# systemctl restart ssh
# ssh keyonlyuser@
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-83-generic x86_64)
...
$ exit
# ssh otheruser@localhost -i /root/reproduce
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-83-generic x86_64)