authorized_keys2 directory idea

Theo de Raadt deraadt at cvs.openbsd.org
Mon Jun 4 13:29:05 EST 2001 

Incompatibility sucks.

OpenSSH is security software.  A lot of you keep asking for more and
more features, and the code keeps growing and growing and growing.
Assuming that the number of lines per bug is a constant, how long
before one of these features which noone uses becomes a hole?

I think it is ridiculous how some people keep demanding change.

Sorry, but I firmly believe that change for the sake of "I like it" is
stupid.

> My $0.02 is that I like it, and I find it easier to keep track of the keys
> and where they came from by having a directory format... could we at least
> put the patch in contrib?
> 								-Rob
> 
> On Sun, 3 Jun 2001, Markus Friedl wrote:
> 
> > On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote:
> > > Root would not be the only one to profit from this; you would only need to
> > > copy the pubkey file in the right dir (with a descriptive name if you
> > > like!), and authorization would work without file editing.  Also, if you
> > > need to refresh just one key, you could just scp that one over, no need
> > > to edit the file either.
> >
> > i don't understand why editing a file is hard.
> > i think keeping a file in sync is simpler than
> > syncing directories, especially deleting files.
> >
> > > What do you think -- would this be useful?  Bloat?  Could it be considered
> > > to be merged if it was implemented?
> >
> > i don't think it's useful. ssh.com switched to a-key-per-file,
> > but openssh and the traditional ssh use a-key-per-line
> >
> > and i don't want to support 2 different ways of doing things.
> >
> > > Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not
> > > print debug message:
> > > --- openssh-cvs/auth2.c	Sat Jun  2 11:14:21 2001
> > > +++ openssh.fix/auth2.c Sat Jun  2 11:13:40 2001
> > > @@ -26,6 +28,8 @@
> > >  	if (!f) {
> > >  		/* Restore the privileged uid. */
> > >  		restore_uid();
> > > +		packet_send_debug("Could not open %.900s for reading.", file);
> > > +		packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
> > >  		return 0;
> > >  	}
> > >  	if (options.strict_modes) {
> > >
> > > was this left out by design, or a leftover in auth-rsa.c ?
> >
> > they should be merged, and in the future, i don't
> > want to see debug messages before a user is authenticated.
> >
>

More information about the openssh-unix-dev mailing list