Authenticate against key files before AuthorizedKeysCommand
Andrei Gherzan
andrei at balena.io
Tue May 21 19:53:16 AEST 2019
Hello,
On 20/05/2019 19.24, Morgan, Iain (ARC-TN)[InuTeq, LLC] wrote:
> Couldn't you accomplish the same thing with your AuthorizedKeysCommand? You could have it check for local authorized_keys files first, and then only fall back to the cloud if necessary. Depending on how complex you are willing to make the AuthorizedKeysCommand, you could implement some form of caching to further reduce the dependency on the cloud.
Sadly that doesn't work because the AuthorizedKeysCommand output is
buffered and afterwards checked against the key. See:
https://github.com/openssh/openssh-portable/blob/master/auth2-pubkey.c#L883
.
--
Andrei Gherzan
gpg: rsa4096/D4D94F67AD0E9640 | t: @agherzan
More information about the openssh-unix-dev
mailing list