Luciano Bello
2010-Apr-11 20:16 UTC
[PATCH] AuthorizedKeysFile: tokens for type and fingerprint
Hello all,
There are some scenarios where is useful to storage one key per authorized_keys
in an OpenSSH server. This is particularly true in gitosis cases. It manages
multiple repositories under the same user account and it may have escalation
problems. In our case, the keys are stored in a MySQL database and queried by a
fuse application when the authorized file is requested by OpenSSH. Of course we
wanted to minimized the size of the query response.
That's why we wrote the attached patch. It allows to use two new tokens in
the
AuthorizedKeysFile sshd_config option:
* %t, user pubkey type
* %f, user pubkey fingerprint
So, "AuthorizedKeysFile ~/%t-%f.pubkey" will look for the key at
~/RSA-e9:6e:a0:72:c6:a3:29:f6:bd:79:f2:f8:e0:08:b4:14.pubkey.
Maybe you have your own scenario where this may be useful. It would be nice if
you put this code in.
thanks, luciano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fp_token.patch
Type: text/x-diff
Size: 2990 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100411/c3e6bfdc/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100411/c3e6bfdc/attachment-0003.bin>
Seemingly Similar Threads
- [Bug 1747] New: AuthorizedKeysFile not working as advertised
- AuthorizedKeysFile
- [Bug 2755] New: [PATCH] sshd_config: allow directories in AuthorizedKeysFile=
- [Bug 2490] New: allow to set AuthorizedKeysFile none
- [Bug 412] New: AuthorizedKeysFile assumes home directory access upon authentication
Wisdom of the Ancients
