Andrei Gherzan
2019-May-21 09:53 UTC
Authenticate against key files before AuthorizedKeysCommand
Hello, On 20/05/2019 19.24, Morgan, Iain (ARC-TN)[InuTeq, LLC] wrote:> Couldn't you accomplish the same thing with your AuthorizedKeysCommand? You could have it check for local authorized_keys files first, and then only fall back to the cloud if necessary. Depending on how complex you are willing to make the AuthorizedKeysCommand, you could implement some form of caching to further reduce the dependency on the cloud.Sadly that doesn't work because the AuthorizedKeysCommand output is buffered and afterwards checked against the key. See: https://github.com/openssh/openssh-portable/blob/master/auth2-pubkey.c#L883 . -- Andrei Gherzan gpg: rsa4096/D4D94F67AD0E9640 | t: @agherzan