authorized_keys2 directory idea

Rob Hagopian rob at hagopian.net
Mon Jun 4 14:12:52 EST 2001


OpenSSH changed from the ssh.com directory method... not that that's
always a bad thing, I prefer not having a separate .ssh2 directory. But a
lot of other unix utils have moved to file based rather than line based
config methods for the simple reason that a lot of people working with
these systems find it easier to manage them this way... Do you object to
/proc, pam, and SysV rc scripts as well?

And I still think that if people support it, it surely belongs in contrib
for people to use at their own risk... what else is that for?
								-Rob

On Sun, 3 Jun 2001, Theo de Raadt wrote:

> Incompatibility sucks.
>
> OpenSSH is security software.  A lot of you keep asking for more and
> more features, and the code keeps growing and growing and growing.
> Assuming that the number of lines per bug is a constant, how long
> before one of these features which noone uses becomes a hole?
>
> I think it is ridiculous how some people keep demanding change.
>
> Sorry, but I firmly believe that change for the sake of "I like it" is
> stupid.
>
> > My $0.02 is that I like it, and I find it easier to keep track of the keys
> > and where they came from by having a directory format... could we at least
> > put the patch in contrib?
> > 								-Rob
> >
> > On Sun, 3 Jun 2001, Markus Friedl wrote:
> >
> > > On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote:
> > > > Root would not be the only one to profit from this; you would only need to
> > > > copy the pubkey file in the right dir (with a descriptive name if you
> > > > like!), and authorization would work without file editing.  Also, if you
> > > > need to refresh just one key, you could just scp that one over, no need
> > > > to edit the file either.
> > >
> > > i don't understand why editing a file is hard.
> > > i think keeping a file in sync is simpler than
> > > syncing directories, especially deleting files.
> > >
> > > > What do you think -- would this be useful?  Bloat?  Could it be considered
> > > > to be merged if it was implemented?
> > >
> > > i don't think it's useful. ssh.com switched to a-key-per-file,
> > > but openssh and the traditional ssh use a-key-per-line
> > >
> > > and i don't want to support 2 different ways of doing things.
> > >
> > > > Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not
> > > > print debug message:
> > > > --- openssh-cvs/auth2.c	Sat Jun  2 11:14:21 2001
> > > > +++ openssh.fix/auth2.c Sat Jun  2 11:13:40 2001
> > > > @@ -26,6 +28,8 @@
> > > >  	if (!f) {
> > > >  		/* Restore the privileged uid. */
> > > >  		restore_uid();
> > > > +		packet_send_debug("Could not open %.900s for reading.", file);
> > > > +		packet_send_debug("If your home is on an NFS volume, it may need to be world-readable.");
> > > >  		return 0;
> > > >  	}
> > > >  	if (options.strict_modes) {
> > > >
> > > > was this left out by design, or a leftover in auth-rsa.c ?
> > >
> > > they should be merged, and in the future, i don't
> > > want to see debug messages before a user is authenticated.
> > >
> >
>




More information about the openssh-unix-dev mailing list