authorized_keys2 directory idea

Pekka Savola pekkas at netcore.fi
Mon Jun 4 07:52:50 EST 2001


On Sun, 3 Jun 2001, Markus Friedl wrote:
> On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote:
> > Root would not be the only one to profit from this; you would only need to
> > copy the pubkey file in the right dir (with a descriptive name if you
> > like!), and authorization would work without file editing.  Also, if you
> > need to refresh just one key, you could just scp that one over, no need
> > to edit the file either.
>
> i don't understand why editing a file is hard.
> i think keeping a file in sync is simpler than
> syncing directories, especially deleting files.

Yes, keeping a file 100% in sync is way easier.  But in real situations,
you're often faced by the fact that e.g. 60-90% of the keys are the same,
and the rest vary.  Then syncing is a bit more difficult.  Editing is also
a bigger (ie: interactive) process when it has to be done on many hosts.

A problem is backup files if you edit keys with an editor, ie. ones ending
to e.g. ~ or # (depending on the editor).  Then if you just delete the
base key, the results might be unexpected.  To counter this, filenames
would be scanned and only those that contain only legal characters would
pass.

> > What do you think -- would this be useful?  Bloat?  Could it be considered
> > to be merged if it was implemented?
>
> i don't think it's useful. ssh.com switched to a-key-per-file,
> but openssh and the traditional ssh use a-key-per-line

I wasn't aware ssh.com is doing something like this too.  So it might be
something to be done sooner or later, though.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords






More information about the openssh-unix-dev mailing list