AuthorizedKeysCommand idea

Phil Pennock phil.pennock at
Thu Jun 20 04:35:03 EST 2013

On 2013-06-19 at 10:10 -0400, Michael W. Lucas wrote:
> What about using a SQLite database, copied to all machines, and a
> simple sqlite lookup for AuthorizedKeysCommand?
> If a user can't log into the local machine, because PAM or no local
> account or whatever, the presence of the key shouldn't matter.
> For key adds/changes/deletions, I just push the new sqlite DB to all
> my machines.
> This seems easy. Too easy. What am I missing?

It's easier than that: you don't need an SQLite DB or
AuthorizedKeysCommand support.  Once you already have all of the
infrastructure to control which keys exist for which users, you can
manage a directory with files named for the user and N keys per file.

Then you can deploy that with puppet/chef/rsync/whatever.

In sshd_config you just set:
  AuthorizedKeysFile /opt/mycompany/etc/sshkeys/%u

This works, and has worked, for years, minimizes complexity at login
time, makes audit easy and generally is something I've seen used, or
have set up, in many places for at least a decade (with patches to
pre-openssh sshd, originally).


More information about the openssh-unix-dev mailing list