AW: AW: AuthorizedKeysCommand support added
Damien Miller
djm at mindrot.org
Sun Nov 4 22:16:43 EST 2012
On Thu, 1 Nov 2012, Damien Miller wrote:
> > > This is a risk of using
> > > the target user for the login script, which is something we explicitly
> > > recommend against.
> >
> > OK, then documentation is quite important: if I understand it
> > right, the default will be this unsafe mode, unless one uses
> > AuthorizedKeysCommandUser
>
> yes, though "unsafe" is relative here. It would be nice to have a dedicated
> _ssh_helper account or somesuch that we could rely on to be the default.
>
> Perhaps it would be better to ship with no default whatsoever but support
> %u as an option.
I just committed this - there is no default AuthorizedKeysCommandUser now;
admins are required to specify one. Hopefully they'll pick a good one :)
-d
More information about the openssh-unix-dev
mailing list