authorized_keys2 directory idea
Jim Knoble
jmknoble at jmknoble.cx
Mon Jun 4 07:43:58 EST 2001
Circa 2001-Jun-03 11:46:04 +0200 dixit Markus Friedl:
: i don't understand why editing a file is hard.
Editing a file is hard for many inexperienced users. Especially a file
that contains very long lines filled with what appears to meaningless
random letters and numbers.
Using a directory format has the potential to make it significantly
easier for users to install public keys onto a remote system. Instead
of having to use a complicated set of shell commands such as:
cat ~/.ssh/identity.pub |ssh remote-host 'cat >>~/.ssh/authorized_keys2'
(remember that ssh-copy-id only works for rsa1 keys), you can simply do:
scp -p ~/.ssh/identity.pub remote-host:.ssh/authorized_keys2.d/local-host
Once they understand scp, inexperienced users can easily manage their
own public keys. That's a big win for everyone.
: i think keeping a file in sync is simpler than syncing directories,
: especially deleting files.
Heard of rsync? All you need is:
rsync -av --delete master-key-repository/* \
user at remote-host:.ssh/authorized_keys2.d/
Alternatively:
ssh remote-host 'cd .ssh/authorized_keys2.d; cvs update'
The file-based format could even stay there without a problem: Simple
read ~/.ssh/authorized_keys2 first, then look for
~/.ssh/authorized_keys2.d/* and read them. Existing practice doesn't
have to change.
[Pekka Savola wrote:]
: > What do you think -- would this be useful? Bloat? Could it be considered
: > to be merged if it was implemented?
:
: i don't think it's useful. ssh.com switched to a-key-per-file,
: but openssh and the traditional ssh use a-key-per-line
Myself, i think it's a fantastic idea. Both experienced and
inexperienced users stand to benefit.
--
jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 249 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010603/eb971a1d/attachment.bin
More information about the openssh-unix-dev
mailing list