Feature rqst/Patch: Attempted key's fp in env to AuthorizedKeysCommand
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 10 05:55:21 EST 2014
On 10/09/2014 02:38 PM, Micah Cowan wrote:
> Hello. My employer (Akamai Technologies) had a case where they wanted to
> manage a large number (tens of thousands) of authorized keys for a
> single user.
>
> I'm sure there may be alternatives to that sort of use case, but at any
> rate it was decided that the simplest way to proceed would be to use
> OpenSSH's AuthorizedKeysCommand config option, with the extension that
> the attempted key's fingerprint would be placed in the environment of
> the command, so that it could use it as an index, and limit its output
> to only the relevant key, so that OpenSSH wouldn't spin around,
> linearly processing large number of keys to be thrown away in a moment.
Thanks for working on this, Micah, and for publishing your patch. are
you aware of:
https://bugzilla.mindrot.org/show_bug.cgi?id=2081
This feedback should probably go to that bug report.
fwiw, i think if we're supplying the key, there's no sense in supplying
just the fingerprint -- go ahead and supply the whole key, and let the
authorizedkeyscommand do whatever digesting it wants to do.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141009/e0f724f8/attachment.bin>
More information about the openssh-unix-dev
mailing list