Iain Morgan imorgan at
Tue Jan 15 06:22:36 EST 2013

On Mon, Jan 14, 2013 at 09:36:26 -0600, Katsumoto san wrote:
> Hi there,
> We could set AuthorizedKeysCommand script, this will allow only to replace
> authorized_keys file with keys stored in a database... But why this command
> is so limited?
> Why i can't just set a command script which will get a username and public
> key as arguments and let him do it's own authorization??
> I think this will allow for much more powerful tricks. For example do to an
> database lookup with keys to identify and authorize or deny access and so
> on...
> So is this so difficult to do? What do you all think about this?

I believe the intent was to minimize the risks by keeping the
implementation simple. However, you can embed some flexibility either
in the command which you invoke or, potentiall, in the repository used
to store the keys.

I don't quite see the advantage of the approach that you are suggesting.
Could you elaborate on it a bit? What sort of "tricks" are you thinking

Iain Morgan

More information about the openssh-unix-dev mailing list