Maurice Bos
2012-Aug-30 22:26 UTC
Patch to allow glob patterns as authorized keys file names
Hello,
The patch below allows one to configure not only files like
"%h/.ssh/authorized_keys" to be used, but also patterns like
"%h/.ssh/authorized_keys.d/*".
This can be quite useful if somebody or something has to manage an
above average number of keys, like when running a git server that
determines the user based on the ssh key. (Like what they do at
github.com, and what Gitolite does.)
Kind regards,
-Maurice Bos-
Author: Maurice Bos <m-ou.se at m-ou.se>
Date: Thu Aug 30 15:14:49 2012 +0200
Allow glob patterns in authorized keys file names.
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -454,9 +454,16 @@ user_key_allowed(struct passwd *pw, Key *key)
return success;
for (i = 0; !success && i < options.num_authkeys_files; i++)
{
+ int j;
+ glob_t glob_result;
file = expand_authorized_keys(
options.authorized_keys_files[i], pw);
- success = user_key_allowed2(pw, key, file);
+ glob(file, GLOB_NOCHECK, NULL, &glob_result);
+ for (j = 0; !success && j < glob_result.gl_pathc;
j++) {
+ char *f = glob_result.gl_pathv[j];
+ success = user_key_allowed2(pw, key, f);
+ }
+ globfree(&glob_result);
xfree(file);
}
Christoph Anton Mitterer
2012-Sep-01 13:43 UTC
Patch to allow glob patterns as authorized keys file names
Hey. Great. Is this going to be merged upstream? Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5450 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120901/b06100a4/attachment.bin>
Reasonably Related Threads
- [klibc:update-dash] expand: Fix glibc glob(3) support
- [klibc:update-dash] dash: expand: Fix glibc glob(3) support
- [PATCH] Add multiple AuthorizedKeyFiles options
- Patch: Ciphers, MACs and KexAlgorithms on Match
- functions : server_input_channel_req userauth_pubkey