authorized_keys2 directory idea

Pekka Savola pekkas at
Mon Jun 4 07:52:50 EST 2001

On Sun, 3 Jun 2001, Markus Friedl wrote:
> On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote:
> > Root would not be the only one to profit from this; you would only need to
> > copy the pubkey file in the right dir (with a descriptive name if you
> > like!), and authorization would work without file editing.  Also, if you
> > need to refresh just one key, you could just scp that one over, no need
> > to edit the file either.
> i don't understand why editing a file is hard.
> i think keeping a file in sync is simpler than
> syncing directories, especially deleting files.

Yes, keeping a file 100% in sync is way easier.  But in real situations,
you're often faced by the fact that e.g. 60-90% of the keys are the same,
and the rest vary.  Then syncing is a bit more difficult.  Editing is also
a bigger (ie: interactive) process when it has to be done on many hosts.

A problem is backup files if you edit keys with an editor, ie. ones ending
to e.g. ~ or # (depending on the editor).  Then if you just delete the
base key, the results might be unexpected.  To counter this, filenames
would be scanned and only those that contain only legal characters would

> > What do you think -- would this be useful?  Bloat?  Could it be considered
> > to be merged if it was implemented?
> i don't think it's useful. switched to a-key-per-file,
> but openssh and the traditional ssh use a-key-per-line

I wasn't aware is doing something like this too.  So it might be
something to be done sooner or later, though.

Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

More information about the openssh-unix-dev mailing list