Authenticate against key files before AuthorizedKeysCommand

Andrei Gherzan andrei at balena.io
Tue May 21 01:21:47 AEST 2019


Hello,

Currently OpenSSH has a fixed order on how the key authenticates the
user: at first it tries to authenticate against TrustedUserCAKeys,
afterwards it does it against the output keys from the
AuthorizedKeysCommand and finally against the files as set in
AuthorizedKeysFile. I have an use-case where this order is not ideal.
This is because in my case the command fetches keys from the cloud which
due to connectivity issues (and whatnot) might timeout and the fallback
to the auth keys file will only happen after this timeout. In my case,
checking it first and only fallback to the cloud keys would help. This
would make the cloud keys being the fallback which even if it timeouts
it's fine because there is no other fallback afterwards (existing public
keys would have been tried).

Do you think such a feature would make sense? If yes, how would you
recommend going about it? I was thinking of having a priority
configuration variable of some sort that would decide the order I'm
mentioning above or even a simple configuration flag like
AuthorizedKeysCommandBeforeFile (default to true). I'm willing to send
patch if this is considered upstreamable.

Regards,

-- 
Andrei Gherzan
gpg: rsa4096/D4D94F67AD0E9640 | t: @agherzan



More information about the openssh-unix-dev mailing list