authorized_keys2 directory idea

Jim Knoble jmknoble at
Mon Jun 4 07:43:58 EST 2001

Circa 2001-Jun-03 11:46:04 +0200 dixit Markus Friedl:

: i don't understand why editing a file is hard.

Editing a file is hard for many inexperienced users.  Especially a file
that contains very long lines filled with what appears to meaningless
random letters and numbers.

Using a directory format has the potential to make it significantly
easier for users to install public keys onto a remote system.  Instead
of having to use a complicated set of shell commands such as:

  cat ~/.ssh/ |ssh remote-host 'cat >>~/.ssh/authorized_keys2'

(remember that ssh-copy-id only works for rsa1 keys), you can simply do:

  scp -p ~/.ssh/ remote-host:.ssh/authorized_keys2.d/local-host

Once they understand scp, inexperienced users can easily manage their
own public keys.  That's a big win for everyone.

: i think keeping a file in sync is simpler than syncing directories,
: especially deleting files.

Heard of rsync?  All you need is:

  rsync -av --delete master-key-repository/* \
    user at remote-host:.ssh/authorized_keys2.d/


  ssh remote-host 'cd .ssh/authorized_keys2.d; cvs update'

The file-based format could even stay there without a problem:  Simple
read ~/.ssh/authorized_keys2 first, then look for
~/.ssh/authorized_keys2.d/* and read them.  Existing practice doesn't
have to change.

   [Pekka Savola wrote:] 
: > What do you think -- would this be useful?  Bloat?  Could it be considered
: > to be merged if it was implemented?
: i don't think it's useful. switched to a-key-per-file, 
: but openssh and the traditional ssh use a-key-per-line

Myself, i think it's a fantastic idea.  Both experienced and
inexperienced users stand to benefit.

jim knoble | jmknoble at |
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 249 bytes
Desc: not available
Url : 

More information about the openssh-unix-dev mailing list