[Bug 3957] New: Support appending to AuthorizedKeysFile

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat May 2 02:30:43 AEST 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3957

            Bug ID: 3957
           Summary: Support appending to AuthorizedKeysFile
           Product: Portable OpenSSH
           Version: 10.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dusty at dustymabe.com

Over time we have added support for specifying multiple files to
AuthorizedKeysfile and also supported glob patterns to be able to
select files based on a pattern.

This has made configuration more flexible, but there is one more
feature that would make this much better: the ability to append to
AuthorizedKeysFile with later config entries.

All of this is related to ownership of config. I'll give two examples
where this would be beneficial:

1. Currently systemd supports auto setting up an ssh listener over
VSOCK
(https://www.freedesktop.org/software/systemd/man/devel/systemd-ssh-generator.html).
The config for this looks like:

```
ExecStart=-/usr/sbin/sshd -i $OPTIONS -o "AuthorizedKeysFile
${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all
.ssh/authorized_keys"
```

See:
-
https://src.fedoraproject.org/rpms/openssh/c/555ff68c37fbbd5e3e739a5144ee632e6e193be2?branch=f43
-
https://github.com/systemd/systemd/blob/6a672f5df87ebd6b4edd1aea3a1a31fc76651313/src/ssh-generator/ssh-generator.c#L118


The problem with this config is that it completely overrides any
otherwise configured `AuthorizedKeysFile` directives. It lazily guesses
that `.ssh/authorized_keys` is sufficient to cover the defaults.


2. In Fedora CoreOS we have a few different ways to set an Authorized
Key for ssh. One of them is Ignition and the other Afterburn. Recently
we moved to a model where the sshd configuration is delivered by the
RPMs for Ignition and Afterburn rather than baked in at disk image
building time, but we found then that there was no way for the RPMs to
own just their own configuration. 

https://src.fedoraproject.org/rpms/rust-afterburn/pull-request/52#comment-309085

So we must ship a sshd_config.d/ configuration in each that defines the
AuthorizedKeysFile for the entire system:

```
AuthorizedKeysFile=.ssh/authorized_keys .ssh/authorized_keys.d/*
```

The much more ideal way to do this would be to be able to do something
similar to AllowUsers where "This keyword may appear multiple times in
sshd_config with each instance appending to the list". That way both
the examples I showed above could be implemented without redefining the
AuthorizedKeysFile for the entire system.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list