Patch to allow glob patterns as authorized keys file names

Maurice Bos m-ou.se at m-ou.se
Fri Aug 31 08:26:28 EST 2012


Hello,

The patch below allows one to configure not only files like
"%h/.ssh/authorized_keys" to be used, but also patterns like
"%h/.ssh/authorized_keys.d/*".
This can be quite useful if somebody or something has to manage an
above average number of keys, like when running a git server that
determines the user based on the ssh key. (Like what they do at
github.com, and what Gitolite does.)

Kind regards,
-Maurice Bos-



Author: Maurice Bos <m-ou.se at m-ou.se>
Date:   Thu Aug 30 15:14:49 2012 +0200

    Allow glob patterns in authorized keys file names.

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -454,9 +454,16 @@ user_key_allowed(struct passwd *pw, Key *key)
                return success;

        for (i = 0; !success && i < options.num_authkeys_files; i++) {
+               int j;
+               glob_t glob_result;
                file = expand_authorized_keys(
                    options.authorized_keys_files[i], pw);
-               success = user_key_allowed2(pw, key, file);
+               glob(file, GLOB_NOCHECK, NULL, &glob_result);
+               for (j = 0; !success && j < glob_result.gl_pathc; j++) {
+                       char *f = glob_result.gl_pathv[j];
+                       success = user_key_allowed2(pw, key, f);
+               }
+               globfree(&glob_result);
                xfree(file);
        }


More information about the openssh-unix-dev mailing list