openssh unix dev - Jul 2007 - Cygwin: store authorized_keys in /etc/ssh/user/authorized_keys?

Hi folks,

If I try to login on a Cygwin host via ssh, then my
.ssh on a network drive is unaccessible until I login.
I have to enter my password, even if my authorized_keys
would allow me to login without. This is fatal, since it
forces me to use an interactive session for working on a
Windows host. Unusable for automatic builds and tests
managed from a central machine, for example.

There is no such restriction if I create local
accounts on every Cygwin PC, using local disks for
$HOME/.ssh. Highly inefficient and troublesome, I have
to rsync my data again and again, but it works.

Would it be possible to extend auth2-pubkey.c to
look in /cde/ssh/$LOGNAME/authorized_keys for the
public key, in addtition to the user's .ssh directory?
Of course the usual access restrictions should be
checked. And it should be made a configure option
for the ssh server. I don't want to change the default
behavior.

This would be a rough patch, just to give you an
idea:

--- auth2-pubkey.c~	2006-08-05 04:39:39.000000000 +0200
+++ auth2-pubkey.c	2007-07-13 09:07:40.000000000 +0200
@@ -282,6 +282,17 @@
  	file = authorized_keys_file2(pw);
  	success = user_key_allowed2(pw, key, file);
  	xfree(file);
+	if (success)
+		return success;
+
+#if SUPPORT_LOCAL_AUTHORIZED_KEYS
+	/* look in system ssh directory for authorized keys */
+	file = xmalloc(4096);
+	snprintf(file, 4096, "/etc/ssh/allowed_users/%s/authorized_keys",
pw->pw_name);
+	success = user_key_allowed2(pw, key, file);
+	xfree(file);
+#endif
+
  	return success;
  }


Please keep me on CC:, since I am not subscibed to this
list.

Regards

Harri
-- 
CoWare, Inc.           |  Barbarus hic ergo sum, quia non
Harald Dunkel          |  intellegor ulli.
Gr?ner Weg 1           |
52070 Aachen, Germany  |                             Ovid
(+49) 241 943 788 107  |

Harald Dunkel wrote:
> Hi folks,
> 
> If I try to login on a Cygwin host via ssh, then my
> .ssh on a network drive is unaccessible until I login.
> I have to enter my password, even if my authorized_keys
> would allow me to login without. This is fatal, since it
> forces me to use an interactive session for working on a
> Windows host. Unusable for automatic builds and tests
> managed from a central machine, for example.
> 
> There is no such restriction if I create local
> accounts on every Cygwin PC, using local disks for
> $HOME/.ssh. Highly inefficient and troublesome, I have
> to rsync my data again and again, but it works.
> 
> Would it be possible to extend auth2-pubkey.c to
> look in /cde/ssh/$LOGNAME/authorized_keys for the
> public key, in addtition to the user's .ssh directory?
> Of course the usual access restrictions should be
> checked. And it should be made a configure option
> for the ssh server. I don't want to change the default
> behavior.
Any reason you don't use the existing AuthorizedKeysFile knob in 
sshd_config?  eg "AuthorizedKeysFile /etc/ssh/keys/%u"

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.