backdoor by authorized_keys2 leftovers

Daniel Kahn Gillmor dkg at
Fri May 13 05:26:24 EST 2011

On 05/12/2011 03:14 PM, Dan Kaminsky wrote:
> It's completely reasonable, desirable even, to allow a new configuration
> option to explicitly define the set of files that can contain authorized
> keys.

This doesn't need to be a "new configuration option", since it's what
AuthorizedKeysFile does right now.  I think if you define an
AuthorizedKeysFile, then ~/.ssh/authorized_keys2 is no longer checked.

The proposal to make AuthorizedKeysFile an array would allow for saying
"the default is ~/.ssh/authorized_keys,~/.ssh/authorized_keys2" if we
wanted to permanently enshrine the current behavior and keep a simple

> It'd even be convenient to have an AuthorizationCommand option, that
> sent properly escaped strings to a command for external testing and
> validation.

There is an outstanding proposal for AuthorizedKeysCommand which works
slightly differently:

The command itself just produces the equivalent of an AuthorizedKeysFile
on stdout, which is read by sshd in the same way that it currently reads
the AuthorizedKeysFile.

An alternate implementation (e.g. one that feeds the submitted key
(properly escaped) to the command and checks the return value) would be
a welcome contribution.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list