AuthorizedKeysCommand idea

[Stephen Harris]

On Wed, Jun 19, 2013 at 10:10:28AM -0400, Michael W. Lucas wrote:
> LDAP key lookup have some limitations -- specifically, the common
> openssh-lpk_openldap schema won't let you add restrictions at the
> front of the key. This didn't matter so much when the LPK patch was
> such a pain, but now that OpenSSH can actually do this out of the box
> I'd like to use it.

Why use this schema, if it doesn't do what you want?  With the latest
version of OpenSSH you can pick your own ldapsearch command and so do
any schema you like.  You could even have the keys attached to the same
dn as the existing account object, if you wanted.

> This seems easy. Too easy. What am I missing?

Scalability, atomicity.  

Local databases do work (see seos/eTrust AC/Control Minder/name-of-the-day)
but a "push" model has performance issues.  A notification based pull model
scales better.  Handling the edge cases (server down; slow to respond; etc)
is where the fun starts in your model :-)

-- 

rgds
Stephen