Van Dyke's Public Key Assistant
Dan Kaminsky
dan at doxpara.com
Fri May 21 17:08:15 EST 2004
I'd been thinking for some time we need something better than my present
fuglier-than-thou solution, something along the lines of:
cat ~/.ssh/id_dsa.pub | ssh user at host "cat >> ~/.ssh/authorized_keys2"
There are just so many things that can go wrong -- replacing > for >>,
some sites need it to be authorized_keys, etc. If there's a mildly
standardized subsystem, I can't imagine what'd be bad about adding
support for it to OpenSSH. We could even somewhat safely support an
escape command to automatically add "this identity" to the local
authorized key, inside a separate channel (ssh2 only). We can do this
now with the above hack, but...not as elegantly as any of us might like.
--Dan
Damien Miller wrote:
>Randy Gordey wrote:
>
>
>
>>Jeff Van Dyke's "Public Key Assistant subsystem" was previously discussed
>>here: (end of a short thread)
>>
>>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103436908422003&w=2
>>
>>I do see a few comments that seem to point out his arrogance and some
>>disgust about OpenBSD's RCSID, but has anybody found it to be unsecure or if
>>it was bug ridden. The subject sorta dies right there. If you follow the
>>links on www.vandyke.com, they still seem to be maintaining the patch...
>>
>>
>
>Speaking personally, I haven't had time too look at it.
>
>
>
>>Even if it was never going to be part of the RFC and might be only mildly
>>popular is there a technical reason the OpenSSH project's source should not
>>include his patch? Does it hamstring security?
>>
>>
>
>Every patch has security implications, things that manipulate
>authorisation databases (such as authorized_keys) require additional
>scrutiny.
>
>-d
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
More information about the openssh-unix-dev
mailing list