AuthorizedKeysCommand idea
Michael W. Lucas
mwlucas at michaelwlucas.com
Thu Jun 20 00:10:28 EST 2013
Hi,
I've been kicking this idea around, and the problem with it escapes
me. I'm looking for someone to tell me why this is a bad idea.
The new OpenSSH includes the AuthorizedKeysCommand, which was mostly
added to let people use a command to look up user keys in LDAP.
LDAP key lookup have some limitations -- specifically, the common
openssh-lpk_openldap schema won't let you add restrictions at the
front of the key. This didn't matter so much when the LPK patch was
such a pain, but now that OpenSSH can actually do this out of the box
I'd like to use it.
So:
What about using a SQLite database, copied to all machines, and a
simple sqlite lookup for AuthorizedKeysCommand?
If a user can't log into the local machine, because PAM or no local
account or whatever, the presence of the key shouldn't matter.
For key adds/changes/deletions, I just push the new sqlite DB to all
my machines.
This seems easy. Too easy. What am I missing?
Thanks,
==ml
--
Michael W. Lucas - mwlucas at michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
More information about the openssh-unix-dev
mailing list