Re: OpenSSH 6.2 AuthorizedKeysCommand
84 views
Skip to first unread message
Jason A. Donenfeld
May 17, 2013, 11:01:18 PM5/17/13
to gito...@googlegroups.com
Jason A. Donenfeld
May 17, 2013, 11:01:06 PM5/17/13
to gito...@googlegroups.com
OpenSSH 6.2 now offers AuthorizedKeysCommand. From the changelog [1]:
* sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
support fetching authorized_keys from a command in addition to (or
instead of) from the filesystem. The command is run under an account
specified by an AuthorizedKeysCommandUser sshd_config(5) option.
This might be a nice thing for gitolite to use, instead of what it
currently does with managing the flat text file.
Thoughts?
* sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
support fetching authorized_keys from a command in addition to (or
instead of) from the filesystem. The command is run under an account
specified by an AuthorizedKeysCommandUser sshd_config(5) option.
This might be a nice thing for gitolite to use, instead of what it
currently does with managing the flat text file.
Thoughts?
Sitaram Chamarty
May 17, 2013, 11:27:53 PM5/17/13
to Jason A. Donenfeld, gitolite
you don't need root for anything to do with gitolite. This would
require root.
People who want to use it can do so in several ways but what does it
*achieve*? How does it actually help?
It would have been nice if, instead of only the unix username (usually
"git") being passed to the program, they would also pass along the
fingerprint of the offered key. Now *that* would make the whole thing
suddenly *very* interesting, because you'd no longer be limited by
linear scan of the public keys in the authkeys file (or output of this
command). Your program would do a database lookup and return only the
one key that matches (or none if none matched).
When I first read about this features a few months ago, I sorta
assumed *this* is what they were doing and I was drooling. Until I
read the details.
Reply all
Reply to author
Forward
0 new messages