Xiaoguang WANG
2021-Jul-20 10:50 UTC
Use cases for different AuthorizedKeysCommand and AuthorizedKeysFile orders
Before OpenSSH 8, AuthorizedKeysCommand came before AuthorizedKeysFile. From OpenSSH 8, AuthorizedKeysFile is always before AuthorizedKeysCommand. The determinate order is good for login behavior and security audit.>From the user side, can the order be set manually?A real use case for making AuthorizedKeysCommand before AuthorizedKeysFile: * The authorized_keys file is only used for emergency use. * Every login is checked by authorized keys command (it can use other servers to auth through the network), and the command can return "force nologin" to disable the keys in authorized_keys. * In emergency cases (eg: network failure, or command corruption), the emergency key in authorized_keys can still be used to recover the system. If OpenSSH server can introduce an option like "AuthorizedKeysOrder command,file", it would help a lot.
Jochen Bern
2021-Jul-21 09:09 UTC
Use cases for different AuthorizedKeysCommand and AuthorizedKeysFile orders
On 20.07.21 12:50, Xiaoguang WANG wrote:> * The authorized_keys file is only used for emergency use. > * Every login is checked by authorized keys command (it can use other > servers to auth through the network), and the command can return > "force nologin" to disable the keys in authorized_keys. > * In emergency cases (eg: network failure, or command corruption), the > emergency key in authorized_keys can still be used to recover the > system.I don't know how much effort OpenSSH spends on making the AuthorizedKeysCommand API failsafe, but just on general principle, *shouldn't* an AuthorizedKeysFile "for emergencies" be considered *before* an AuthorizedKeysCommand that may be affected (indefinite hang?) by said emergency? Otherwise: You IMHO could point AuthorizedKeysFile to an empty File and replace the current AuthorizedKeysCommand by something like #!/bin/sh F="/the/ACTUAL/file/with_the/emergency.pubkeys" /the/original/AuthorizedKeysCommand "$@" X=$? if [ -r "$F" ]; then cat "$F" exit $X else logger "Emergency config $F is missing or unreadable!!" exit 1 fi to get the order you want. (Assuming a unixoid system, that is.) Regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210721/3d9069e4/attachment.p7s>