Did you know that SSH can match “things”? I sure didn’t!
Tonight I wanted to grant SSH access to a service account that didn’t have a home directory, but was required to use keyauth. After a bit of research on the internet I added a new config file to /etc/ssh/sshd_config.d. (ノ´ з `)ノ I love drop-in configurations.
Match Group homeless
# %u = current user
AuthorizedKeysFile /etc/ssh/authorized-keys/%u
I also needed to create the group homeless and add my service account to it. And, of course, I also needed to add the public key to the referenced file above. (So, if your service account is called pinkie, you’ll need to add the key to/etc/ssh/authorized-keys/pinkie).
Lastly, if you are on Windows and use the WSL to access a linux server using keyauth, I can only advise to copy your private key to some WSL folder instead of using the mounted windows drive at /mnt/c/%something. I was not able to restrict the access on the private key file on the Windows drive in any way, that was accepted by the ssh daemon. Copying the file to ~/.ssh/%something and restricting it (chmod 700) worked in the end.