openssh bugs - Nov 2018 - [Bug 2932] New: Support customised AuthorizedKeysFile on the remote host

https://bugzilla.mindrot.org/show_bug.cgi?id=2932

            Bug ID: 2932
           Summary: Support customised AuthorizedKeysFile on the remote
                    host
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-copy-id
          Assignee: unassigned-bugs at mindrot.org
          Reporter: john at nextraweb.com

Created attachment 3207
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3207&action=edit
[PATCH] Support for sshd authorizedkeysfile variable

For servers that do not default to ~/.ssh/authorized_keys, adding keys
to their specific file requires further steps to fix on the host.

It?s possible once ssh?d into a box to run `sshd -T` to get the
variable for authorized_keys for this user, so this supplied patch does
that. Patch also does expansion for %%, %u, %h, and tries to default
back to ~/.ssh/authorized_keys if there is a failure.

My concern, though, is that even though the sshd_config manfile
suggests quotation support (Arguments may optionally be enclosed in
double quotes (") in order to represent arguments containing spaces.)
for these variables, the output of `sshd -T` is bare:

john at hydrogen ~ ? grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile      "quoted file name"
settings/config/ssh/authorized_keys
john at hydrogen ~ ? sshd -T 2> /dev/null | grep authorizedkeysfile
authorizedkeysfile quoted file name settings/config/ssh/authorized_keys
john at hydrogen ~ ? sshd -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017

Which suggests this patch is not good enough as it is to support these
configurations.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2932

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
sshd_config is not generally readable for normal users so your patch
will actually work only for root logins.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2932

--- Comment #2 from John Drinkwater <john at nextraweb.com> ---
(In reply to Jakub Jelen from comment #1)
> sshd_config is not generally readable for normal users so your patch
> will actually work only for root logins.
What do you mean by generally here, just Red Hat distros? most
non-Ubuntu? For example it?s readable via sshd on these Debian
installs, for normal and root users.

Fully understand that ssh-copy-id is likely not where the work should
be done to make this feature happen.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2932

--- Comment #3 from John Drinkwater <john at nextraweb.com> ---
Think if I could get a patch into sshd to publish SSH_AUTHORIZEDKEYFILE
during environment creation, this patch would be cleaner and fallback
would still be supported for old versions:
eg  ${SSH_AUTHORIZEDKEYFILE:=.ssh/authorized_keys}, though it would
still need the extra dirname.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2932

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
First, we don't maintain ssh-copy-id though we do ship it in contrib/
as a convenience. The maintainer is Phil Hands and he has a git tree at
http://git.hands.com/ssh-copy-id.git

I don't think we're interested in exposing the sshd_config via
environment variables - there are many options that people might want
(too many for us to support all conceivable ones), but all of them are
pretty niche.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2932

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2932

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.