Damien Miller djm at
Tue Jan 15 08:21:20 EST 2013

On Mon, 14 Jan 2013, Katsumoto san wrote:

> Hi there,
> We could set AuthorizedKeysCommand script, this will allow only to replace
> authorized_keys file with keys stored in a database... But why this command
> is so limited?

The output of AuthorizedKeysCommand may contain any directive that is
allowed in authorized_keys, so it's actually quite powerful.

> Why i can't just set a command script which will get a username and public
> key as arguments and let him do it's own authorization??
> I think this will allow for much more powerful tricks. For example do to an
> database lookup with keys to identify and authorize or deny access and so
> on...

You'll have to explain this example more, because it seems to me that this
is well within the capabilities of the current AuthorizedKeysCommand.


More information about the openssh-unix-dev mailing list