Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jan 15 03:22:44 EST 2013
On 01/14/2013 10:36 AM, Katsumoto san wrote:
> We could set AuthorizedKeysCommand script, this will allow only to replace
> authorized_keys file with keys stored in a database... But why this command
> is so limited?
> Why i can't just set a command script which will get a username and public
> key as arguments and let him do it's own authorization??
It sounds to me like you're proposing a different interface than the
current AuthorizedKeysCommand -- the current interface maps quite
cleanly to the AuthorizedKeysFile, and can be processed in a similar way
by ssh (it's just reading the list of authorized keys from a different
kind of file descriptor).
What you're proposing sounds rather different (but i agree it could be
useful). It's more of a KeyAuthorizationCommand (since it takes a
single key and decides whether it is authorized) than an
But note that an ssh client can offer several keys to the ssh server 
to see which ones might be acceptable. So the command you describe
might need to be invoked several times per attempted connection.
Maybe you could propose a concrete specification for what you want? How
would the public key and user account be structured as arguments to the
> I think this will allow for much more powerful tricks. For example do to an
> database lookup with keys to identify and authorize or deny access and so
Note that the current API can still do a database lookup by the user
account, as long as the database is able to enumerate the keys that are
acceptable for authorizing access.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1027 bytes
Desc: OpenPGP digital signature
More information about the openssh-unix-dev