Might a patch to ssh-agent to allow relaxing of peer euid check be accepted?

Matthew Miller mattdm at mattdm.org
Fri May 20 01:29:50 EST 2011

On Thu, May 19, 2011 at 03:51:46PM +0200, Wout Mertens wrote:
> Why not simply give each user their own private key and add/remove it from
> the authorized_keys at the appropriate times?

With that model, there's a lot to keep track of. Individual users must keep
track of their keys, and the various authorized_keys files must be managed
carefully. There's no way to enforce "good" behavior with private key files:
they might have no passphrase, they might get copied around or stolen --
potentially without the users' knowledge. And if there are a large number of
accounts on different systems accessed in this way, one needs a system to
manage those (and it's likely things will get overlooked).

I'm open to entertaining more conversations of this nature, but I think it's
really off-topic for this list and I don't want to trouble everyone with it
-- I think it'd be better to send me such messages directly. Thanks.

Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>

More information about the openssh-unix-dev mailing list