backdoor by authorized_keys2 leftovers

Iain Morgan imorgan at nas.nasa.gov
Thu May 12 04:20:30 EST 2011


On Wed, May 11, 2011 at 12:24:16 -0500, Ángel González wrote:
> Iain Morgan wrote:
> > I was going to suggest something similar, but you beat me to it. :-)
> >
> > One scenario that could potentially be useful in a cluster environment
> > would be to allow per-host authorized_keys files. Support for the
> > following syntax might be useful:
> >
> > AuthorizedKeysFile %h/.ssh/authorized_keys.%H,%h/.ssh/authorized_keys
> >
> > where '%H' would be expanded as the server's hostname. (I don't
> > particulary like '%H', but '%h' is already used.)
> >
> > This would allow clusters which use a shared home filesystem to have
> > authorized_keys files which are tailored for a specific host and the
> > capability to fall back to a more generic file in the absence of a
> > host-specific one.
> >
> > By the way, I applaud getting rid of the old cruft.
> To fall back? As I  understood it, they would be additive.
> 

By "fall back," I didn't necessarily mean "stop at the first file," but
there might be some scenarios where that behaviour is desirable.
However, most of the discussion on this list has been with the
expectation that all files would be examined.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list