backdoor by authorized_keys2 leftovers

Damien Miller djm at mindrot.org
Mon May 16 12:51:14 EST 2011


On Sun, 15 May 2011, Daniel Kahn Gillmor wrote:

> It seems somewhat unclear how AuthorizedKeysFile interacts with a Match
> clause.
> 
> If the following makes an array of two authorizedkeysfiles:
> 
>  AuthorizedKeysFile foo
>  AuthorizedKeysFile bar

So the question is whether to allow multiple directives that add to the
list (as is the case in the slightly-broken patch I sent out yesterday)
or to allow a single directive that specifies all the files on one line.

The latter is more clear for Match, but long lines are more likely to wrap
and are harder to read in sshd_config.

That being said, there is plenty of room for the common cases that I can
think of:

AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
AuthorizedKeysFile /etc/ssh/authorized_keys/keys_%u .ssh/authorized_keys

So maybe all-keys-on-one-line is better.

-d


More information about the openssh-unix-dev mailing list