Hi,
In a mail about two weeks ago, I brought up an idea:
---
How SSH makes this easier is that you only have to sync the
authorized_keys2 database to root account's .ssh/ every time new admin
comes in/leaves the house. This can even be automatized rather easily. A
more modular hack would be using authorized_keys2 _directory_, and the
keys in there would all be counted as authorized. Thus only one file
copy/removal would do the job, no need for sync; this would be profitable
in environments where all admins don't have access to all systems.
---
Root would not be the only one to profit from this; you would only need to
copy the pubkey file in the right dir (with a descriptive name if you
like!), and authorization would work without file editing. Also, if you
need to refresh just one key, you could just scp that one over, no need
to edit the file either.
The more I think of this, this sounds more and more like a nice feature to
have :-). It'd probably be better be like .ssh/authorized_keys.d/ or the
like, I suppose.
What do you think -- would this be useful? Bloat? Could it be considered
to be merged if it was implemented?
I made some preliminary checking, and I don't think this would add too
much new code; look up all files in the directory, disqualify those with
odd characters in them (e.g. allow [0-9a-zA-Z_. at -]) , insert the rest to
current key check method one by one until a matching key is found.
Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not
print debug message:
--- openssh-cvs/auth2.c Sat Jun 2 11:14:21 2001
+++ openssh.fix/auth2.c Sat Jun 2 11:13:40 2001
@@ -26,6 +28,8 @@
if (!f) {
/* Restore the privileged uid. */
restore_uid();
+ packet_send_debug("Could not open %.900s for reading.", file);
+ packet_send_debug("If your home is on an NFS volume, it may need to be
world-readable.");
return 0;
}
if (options.strict_modes) {
was this left out by design, or a leftover in auth-rsa.c ?
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote:> Root would not be the only one to profit from this; you would only need to > copy the pubkey file in the right dir (with a descriptive name if you > like!), and authorization would work without file editing. Also, if you > need to refresh just one key, you could just scp that one over, no need > to edit the file either.i don't understand why editing a file is hard. i think keeping a file in sync is simpler than syncing directories, especially deleting files.> What do you think -- would this be useful? Bloat? Could it be considered > to be merged if it was implemented?i don't think it's useful. ssh.com switched to a-key-per-file, but openssh and the traditional ssh use a-key-per-line and i don't want to support 2 different ways of doing things.> Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not > print debug message: > --- openssh-cvs/auth2.c Sat Jun 2 11:14:21 2001 > +++ openssh.fix/auth2.c Sat Jun 2 11:13:40 2001 > @@ -26,6 +28,8 @@ > if (!f) { > /* Restore the privileged uid. */ > restore_uid(); > + packet_send_debug("Could not open %.900s for reading.", file); > + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); > return 0; > } > if (options.strict_modes) { > > was this left out by design, or a leftover in auth-rsa.c ?they should be merged, and in the future, i don't want to see debug messages before a user is authenticated.
On Mon, 4 Jun 2001, Markus Friedl wrote:> > right now openssh is already a little bit too fat, > since i did accept to many patches in the past :) > > so, perhaps, we should only add patches if the remove lines from > openssh and make everything _simpler_. > > remember, this is a security program: > > "complexity is the enemy"Too much simplicity will also hinder usability, unfortunately. Some like programs simpler than others; many think OpenBSD takes KISS paradigm sometimes too far -- others like it that way. The extent of features optimally included depends on the application. I consider ssh one of those that needs more than the average. Just my humble IMO of course. It would be nice if it was possible to get the main ssh/sshd thinner, and put more functionality in completely non-privileged "modules". That way security-critical code hopefully could be minimized and cleaned, while keeping the usability and most features in. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
> Too much simplicity will also hinder usability, unfortunately. Some like > programs simpler than others; many think OpenBSD takes KISS paradigm > sometimes too far -- others like it that way. The extent of features > optimally included depends on the application. I consider ssh one of > those that needs more than the average. Just my humble IMO of course. > > It would be nice if it was possible to get the main ssh/sshd thinner, and > put more functionality in completely non-privileged "modules". That way > security-critical code hopefully could be minimized and cleaned, while > keeping the usability and most features in.If any of you put in 1% of the work Markus has put in, we would listen to you. Am I being harsh? Yes. Am I being realistic? Yes.
On Mon, Jun 04, 2001 at 03:40:58PM -0600, Theo de Raadt wrote:> If any of you put in 1% of the work Markus has put in, we would listen to > you. > > Am I being harsh? > > Yes. Am I being realistic? Yes.Just the same as in many projects. Many demands, no help. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com