Bostjan Skufca bostjan at
Tue Jan 15 04:00:59 EST 2013

Seems very useful.

Implementation-wise I would not exclude AuthorizedKeysFile if
AuthorizedKeysCommand was present, because if script will be connecting to
external services which mail fail or hang, one still needs access to
machine in case of emergency.
In this respect, execution of external command should be time-limited to
avoid locking admin out of the system in troubled times.


On 14 January 2013 16:36, Katsumoto san <shogun147 at> wrote:

> Hi there,
> We could set AuthorizedKeysCommand script, this will allow only to replace
> authorized_keys file with keys stored in a database... But why this command
> is so limited?
> Why i can't just set a command script which will get a username and public
> key as arguments and let him do it's own authorization??
> I think this will allow for much more powerful tricks. For example do to an
> database lookup with keys to identify and authorize or deny access and so
> on...
> So is this so difficult to do? What do you all think about this?
> Thanks.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list