Connection info with AuthorizedKeysCommand

Anthony R Fletcher arif at mail.nih.gov
Thu Nov 22 01:16:13 EST 2012


On 21 Nov 2012 at 13:48:37, Darren Tucker wrote:
> On Tue, Nov 20, 2012 at 08:52:38PM -0500, Anthony R Fletcher wrote:
> > Agreed and I forgot that there was lots of power in the authorized_file
> > format. What if we wanted the authorisation keys to depend on the server
> > port?
> 
> You can specify different AuthorizedKeysCommand directives inside a
> "Match Port" block.  Not super elegant if you have a lot of them, but
> for two or three...
> 

True and I can't see having to run on many ports.

Back to my original case of inside and outside sets of authorised keys,
I have to process the user's original authorized_keys file. One problem
is that the AuthorizedKeysCommand command needs to be able to read that
file. This is especially acute when we are using NFS home directories.

 AuthorizedKeysCommandUser
   Specifies the user under whose account the AuthorizedKeysCommand is
   run. It is recommended to use a dedicated user that has no other
   role on the host than running authorized keys commands.

This is a required option when using AuthorizedKeysCommand.

Can we have the option to run as the authenticating user? Otherwise I
need to use some kind of sudo magic.

If I set a extra from= option on each of the user's keys, am I right in
thinking that this is an extra restriction and doesn't just overwrite
any from= option originally there?

			Anthony.


-- 
Anthony R Fletcher        
  Room 2033, Building 12A,        http://dcb.cit.nih.gov/~arif
  National Institutes of Health,  arif at mail.nih.gov
  12A South Drive, Bethesda,      Phone: (+1) 301 402 1741.
  MD 20892-5624, USA.


More information about the openssh-unix-dev mailing list