Hi devs, recently I had to replace authorized_keys on several systems to enforce an access policy change. I was badly surprised that authorized_keys2(!) was still processed, which allowed some old keys to enter the systems again, because I wasn't aware of the file's existance on the server and use by sshd, since this "backward compatibility" isn't documented, not even a historical reference about "obsolete" or "deprecated". Maybe it's time to drop the old stuff not to get haunted by such leftovers again. Thanks, regards, Rado -- ? Rado S. -- You must provide YOUR effort for your goal! EVERY effort counts: at least to show your attitude. You're responsible for ALL you do: you get what you give.
On Mon, 9 May 2011, Rado S wrote:> Hi devs, > > recently I had to replace authorized_keys on several systems to > enforce an access policy change. > I was badly surprised that authorized_keys2(!) was still processed, > which allowed some old keys to enter the systems again, because I > wasn't aware of the file's existance on the server and use by sshd, > since this "backward compatibility" isn't documented, not even a > historical reference about "obsolete" or "deprecated". > > Maybe it's time to drop the old stuff not to get haunted by such > leftovers again.Good point - I just committed a change to remove it for openssh-5.9 -d
On Sun, 15 May 2011, Daniel Kahn Gillmor wrote:> It seems somewhat unclear how AuthorizedKeysFile interacts with a Match > clause. > > If the following makes an array of two authorizedkeysfiles: > > AuthorizedKeysFile foo > AuthorizedKeysFile barSo the question is whether to allow multiple directives that add to the list (as is the case in the slightly-broken patch I sent out yesterday) or to allow a single directive that specifies all the files on one line. The latter is more clear for Match, but long lines are more likely to wrap and are harder to read in sshd_config. That being said, there is plenty of room for the common cases that I can think of: AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 AuthorizedKeysFile /etc/ssh/authorized_keys/keys_%u .ssh/authorized_keys So maybe all-keys-on-one-line is better. -d