authorized_keys2 directory idea

[Rob Hagopian]

I'm surprised you're advocating the use of sed on authorized_keys files!

It's pretty sick, but: cat keys/* | sort | uniq | sed | split -l 1
But of course you lose filenames... you might be able to pull them out of
the comment field... but the point isn't to make it more difficult...

How do you see the time a key was added to your single file? Can you track
individual key changes through utils like tripwire? How about making some
keys immutable but allowing others to be updated? Can I make a symlink to
a common public key that root updates?

I'm not saying that there aren't advantages to a single file, although I'd
be a lot less likely to use sort/uniq/sed than I would be to make a key
immutable, but there are some advantages to separate files too.

As I think about it, I think that taking both and merging them gives even
more flexibility. If you allow multiple files, each with one *or more*
keys in it, you don't change the existing key lookup code except to
include more files in the searching (authorized_keys2 and
authorized_dir2/* or such).

A cursory look at the code looks to add about 10 lines of code to add that
functionality.
								-Rob

On Mon, 4 Jun 2001, Markus Friedl wrote:

> On Mon, Jun 04, 2001 at 12:12:52AM -0400, Rob Hagopian wrote:
> > OpenSSH changed from the ssh.com directory method... not that that's
> > always a bad thing, I prefer not having a separate .ssh2 directory. But a
> > lot of other unix utils have moved to file based rather than line based
> > config methods for the simple reason that a lot of people working with
> > these systems find it easier to manage them this way... Do you object to
> > /proc, pam, and SysV rc scripts as well?
>
> so how do i use
> 	sort
> 	uniq
> 	sed
> if i use multiple files instead of a single file?
>
> in a single file i can put the entries in a certain order.
>
> there might be some uses for a-key-per-file, however,
> they do not justify a change in the way openssh
> is configured.
>