Home My Page Projects FusionForge
Summary Activity Forums Tracker Lists News SCM Files Mediawiki Hudson/Jenkins

[#731] Use AuthorizedKeysCommand instead of replicating ~/.ssh/authorized_keys on the filesystem

Date:
2014-09-12 10:06
Priority:
3
State:
Closed
Submitted by:
Sylvain Beucler (beuc-inria)
Assigned to:
Sylvain Beucler (beuc-inria)
Resolution:
none
Difficulty:
none
Target release:
6.0
Summary:
Use AuthorizedKeysCommand instead of replicating ~/.ssh/authorized_keys on the filesystem

Detailed description
The new sshd_config AuthorizedKeysCommand is present officially in OpenSSH 6.6, Debian Wheezy backports, CentOS 6 (early redhat-specific patch), so about everywhere.

This will make user ssh keys uploads effective *immediately*.


Documentation:

AuthorizedKeysCommand
Specifies a program to be used to look up the user's public keys.
The program must be owned by root and not writable by group or
others. It will be invoked with a single argument of the user‐
name being authenticated, and should produce on standard output
zero or more lines of authorized_keys output (see AUTHORIZED_KEYS
in sshd(8)). If a key supplied by AuthorizedKeysCommand does not
successfully authenticate and authorize the user then public key
authentication continues using the usual AuthorizedKeysFile
files. By default, no AuthorizedKeysCommand is run.

AuthorizedKeysCommandUser # AuthorizedKeysCommanRunAs on CentOS
Specifies the user under whose account the AuthorizedKeysCommand
is run. It is recommended to use a dedicated user that has no
other role on the host than running authorized keys commands.
Message  ↓
Date: 2014-09-17 07:53
Sender: Sylvain Beucler

Pushed via 6fa149197b105c7b9c2c70d6973a8eae304451d9

Date: 2014-09-16 14:54
Sender: Sylvain Beucler

Pushed for review - cf.
https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=dd9d741c31245da764608f60505dacf11dd2b01e

Note that I'm ditching the previous cronjob.

Date: 2014-09-15 12:49
Sender: Sylvain Beucler

Agreed to switch to this method on IRC Meeting 2014-09-12.

Field Old Value Date By
status_idOpen2014-09-17 07:53beuc-inria
close_dateNone2014-09-17 07:53beuc-inria