Use cases for different AuthorizedKeysCommand and AuthorizedKeysFile orders

Xiaoguang WANG wxiaoguang at gmail.com
Tue Jul 20 20:50:09 AEST 2021


Before OpenSSH 8, AuthorizedKeysCommand came before
AuthorizedKeysFile. From OpenSSH 8, AuthorizedKeysFile is always
before AuthorizedKeysCommand.

The determinate order is good for login behavior and security audit.

>From the user side, can the order be set manually?


A real use case for making AuthorizedKeysCommand before AuthorizedKeysFile:

* The authorized_keys file is only used for emergency use.
* Every login is checked by authorized keys command (it can use other
servers to auth through the network), and the command can return
"force nologin" to disable the keys in authorized_keys.
* In emergency cases (eg: network failure, or command corruption), the
emergency key in authorized_keys can still be used to recover the
system.

If OpenSSH server can introduce an option like "AuthorizedKeysOrder
command,file", it would help a lot.


More information about the openssh-unix-dev mailing list