Authorized Key

An authorized key in SSH is a public key used for granting login access to users. They are a kind of SSH key. Authorized keys are configured separately for each user - usually in the .ssh/authorized_keys file in the user's home directory. However, the location of the keys can be configured in SSH server configuration files, and is often changed to a root-owned location in more secure environments.

Technically, an authorized key looks like this:

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= ylo@klar

Authorized keys configure access credentials and grant access to servers. They must be properly managed as part of identity and access management and are relevant for all compliance standards and cybersecurity-related laws, such as Sarbanes-Oxley for public companies, HIPAA for health care, and FISMA/NIST SP 800-53 for US government agencies.

Provisioning of Authorized Keys

Authorized keys are the only kind of credential that users are commonly able to self-provision. It is possible to prevent self-provisioning in SSH, but that requires a configuration change. The operation is often called lock-down, and it is usually one of the first steps in SSH key management.

Each SSH implementation has its own tools for creating and distributing SSH keys. Different implementations also use different formats for the key files.

Typically provisioning an authorized key involves generating a key pair, installing the public key as an authorized key, and using the private key as an identity key.

Authorized Key Provisioning in OpenSSH

With OpenSSH, a key pair can be created using the ssh-keygen tool. The public key can then be copied to a server using the ssh-copy-id tool.

The whole process is very simple and only takes a few minutes. With default configuration, anyone with access to a user account on a server can configure additional SSH keys for it.