AW: AW: AuthorizedKeysCommand support added

Damien Miller djm at mindrot.org
Sun Nov 4 22:16:43 EST 2012


On Thu, 1 Nov 2012, Damien Miller wrote:

> > > This is a risk of using
> > > the target user for the login script, which is something we explicitly
> > > recommend against.
> >
> > OK, then documentation is quite important: if I understand it
> > right, the default will be this unsafe mode, unless one uses
> > AuthorizedKeysCommandUser
> 
> yes, though "unsafe" is relative here. It would be nice to have a dedicated
> _ssh_helper account or somesuch that we could rely on to be the default.
> 
> Perhaps it would be better to ship with no default whatsoever but support
> %u as an option.

I just committed this - there is no default AuthorizedKeysCommandUser now;
admins are required to specify one. Hopefully they'll pick a good one :)

-d


More information about the openssh-unix-dev mailing list