authorized_keys2 directory idea

Pekka Savola pekkas at netcore.fi
Sat Jun 2 18:54:24 EST 2001


Hi,

In a mail about two weeks ago, I brought up an idea:

---
How SSH makes this easier is that you only have to sync the
authorized_keys2 database to root account's .ssh/ every time new admin
comes in/leaves the house.  This can even be automatized rather easily.  A
more modular hack would be using authorized_keys2 _directory_, and the
keys in there would all be counted as authorized.  Thus only one file
copy/removal would do the job, no need for sync; this would be profitable
in environments where all admins don't have access to all systems.
---

Root would not be the only one to profit from this; you would only need to
copy the pubkey file in the right dir (with a descriptive name if you
like!), and authorization would work without file editing.  Also, if you
need to refresh just one key, you could just scp that one over, no need
to edit the file either.

The more I think of this, this sounds more and more like a nice feature to
have :-).  It'd probably be better be like .ssh/authorized_keys.d/ or the
like, I suppose.

What do you think -- would this be useful?  Bloat?  Could it be considered
to be merged if it was implemented?

I made some preliminary checking, and I don't think this would add too
much new code; look up all files in the directory, disqualify those with
odd characters in them (e.g. allow [0-9a-zA-Z_. at -]) , insert the rest to
current key check method one by one until a matching key is found.

Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not
print debug message:
--- openssh-cvs/auth2.c	Sat Jun  2 11:14:21 2001
+++ openssh.fix/auth2.c Sat Jun  2 11:13:40 2001
@@ -26,6 +28,8 @@
 	if (!f) {
 		/* Restore the privileged uid. */
 		restore_uid();
+		packet_send_debug("Could not open %.900s for reading.", file);
+		packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
 		return 0;
 	}
 	if (options.strict_modes) {

was this left out by design, or a leftover in auth-rsa.c ?

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords




More information about the openssh-unix-dev mailing list