shogun147 at gmail.com
Thu Jan 17 04:12:01 EST 2013
14.01.13 21:22, Iain Morgan пишет:
> On Mon, Jan 14, 2013 at 09:36:26 -0600, Katsumoto san wrote:
>> Hi there,
>> We could set AuthorizedKeysCommand script, this will allow only to
>> authorized_keys file with keys stored in a database... But why this
>> is so limited?
>> Why i can't just set a command script which will get a username and
>> key as arguments and let him do it's own authorization??
>> I think this will allow for much more powerful tricks. For example
do to an
>> database lookup with keys to identify and authorize or deny access
>> So is this so difficult to do? What do you all think about this?
> I believe the intent was to minimize the risks by keeping the
> implementation simple. However, you can embed some flexibility either
> in the command which you invoke or, potentiall, in the repository used
> to store the keys.
> I don't quite see the advantage of the approach that you are suggesting.
> Could you elaborate on it a bit? What sort of "tricks" are you thinking
More flexible doesn't mean more difficult or risky.
The advantages is like you've said flexibility, a lot of flexibility.
The users may write custom acl's and so on... why to limit them? For ex.
Github uses his own patched ssh which allow to lookup a database for pub
keys, this allow to users access repos with
git at github.com:username/repository, so git "namespace" for many users...
and many more advantages allowed by this approach.
More information about the openssh-unix-dev