authorized_keys2 directory idea

Markus Friedl markus.friedl at
Tue Jun 5 01:57:50 EST 2001

On Mon, Jun 04, 2001 at 12:52:50AM +0300, Pekka Savola wrote:
> Yes, keeping a file 100% in sync is way easier.  But in real situations,
> you're often faced by the fact that e.g. 60-90% of the keys are the same,
> and the rest vary.  Then syncing is a bit more difficult.  Editing is also
> a bigger (ie: interactive) process when it has to be done on many hosts.
> A problem is backup files if you edit keys with an editor, ie. ones ending
> to e.g. ~ or # (depending on the editor).  Then if you just delete the
> base key, the results might be unexpected.  To counter this, filenames
> would be scanned and only those that contain only legal characters would
> pass.

yes, you name one of problems that appear with one-key-per-file.

it's also simpler to monitor a single file for changes.

it's easier to introduce races if you use multiple files.

but the main reason is:

	there won't be 2 different ways for doing the same thing and
	we won't drop the old scheme
	so we will not use a-key-per-file

> > > What do you think -- would this be useful?  Bloat?  Could it be considered
> > > to be merged if it was implemented?
> >
> > i don't think it's useful. switched to a-key-per-file,
> > but openssh and the traditional ssh use a-key-per-line
> I wasn't aware is doing something like this too.  So it might be
> something to be done sooner or later, though.

no, i don't think that we should try to clone their implementaion.

More information about the openssh-unix-dev mailing list