authorized_keys2 directory idea

Theo de Raadt deraadt at
Tue Jun 5 07:40:09 EST 2001

This is getting very tiring.

Can you please start your own ssh derivitive project?

> I'm surprised you're advocating the use of sed on authorized_keys files!
> It's pretty sick, but: cat keys/* | sort | uniq | sed | split -l 1
> But of course you lose filenames... you might be able to pull them out of
> the comment field... but the point isn't to make it more difficult...
> How do you see the time a key was added to your single file? Can you track
> individual key changes through utils like tripwire? How about making some
> keys immutable but allowing others to be updated? Can I make a symlink to
> a common public key that root updates?
> I'm not saying that there aren't advantages to a single file, although I'd
> be a lot less likely to use sort/uniq/sed than I would be to make a key
> immutable, but there are some advantages to separate files too.
> As I think about it, I think that taking both and merging them gives even
> more flexibility. If you allow multiple files, each with one *or more*
> keys in it, you don't change the existing key lookup code except to
> include more files in the searching (authorized_keys2 and
> authorized_dir2/* or such).
> A cursory look at the code looks to add about 10 lines of code to add that
> functionality.
> 								-Rob
> On Mon, 4 Jun 2001, Markus Friedl wrote:
> > On Mon, Jun 04, 2001 at 12:12:52AM -0400, Rob Hagopian wrote:
> > > OpenSSH changed from the directory method... not that that's
> > > always a bad thing, I prefer not having a separate .ssh2 directory. But a
> > > lot of other unix utils have moved to file based rather than line based
> > > config methods for the simple reason that a lot of people working with
> > > these systems find it easier to manage them this way... Do you object to
> > > /proc, pam, and SysV rc scripts as well?
> >
> > so how do i use
> > 	sort
> > 	uniq
> > 	sed
> > if i use multiple files instead of a single file?
> >
> > in a single file i can put the entries in a certain order.
> >
> > there might be some uses for a-key-per-file, however,
> > they do not justify a change in the way openssh
> > is configured.
> >

More information about the openssh-unix-dev mailing list