[#731] Use AuthorizedKeysCommand instead of replicating ~/.ssh/authorized_keys on the filesystem



Detailed description

The new sshd_config AuthorizedKeysCommand is present officially in OpenSSH 6.6, Debian Wheezy backports, CentOS 6 (early redhat-specific patch), so about everywhere.

This will make user ssh keys uploads effective immediately.


         Specifies a program to be used to look up the user's public keys.
         The program must be owned by root and not writable by group or
         others.  It will be invoked with a single argument of the user‐
         name being authenticated, and should produce on standard output
         zero or more lines of authorized_keys output (see AUTHORIZED_KEYS
         in sshd(8)).  If a key supplied by AuthorizedKeysCommand does not
         successfully authenticate and authorize the user then public key
         authentication continues using the usual AuthorizedKeysFile
         files.  By default, no AuthorizedKeysCommand is run.

 AuthorizedKeysCommandUser  # AuthorizedKeysCommanRunAs on CentOS
         Specifies the user under whose account the AuthorizedKeysCommand
         is run.  It is recommended to use a dedicated user that has no
         other role on the host than running authorized keys commands.
General Information
Submitted by:
Sylvain Beucler
Date Submitted: 2014-09-12 10:06
Last Modified by: Nobody
Last Modified: 2017-11-02 20:00
Date Closed: 2014-09-17 07:53
Permalink: https://fusionforge.org/tracker/a_follow.php/731
Votes: 0/1 (0%)
Internal Fields
Data Type: Feature requests
Assigned to: Sylvain Beucler (beuc-inria)
State: Closed
Priority: 3
Extra Fields
Target release:
Follow-up tabs
Message  ↓
Date: 2014-09-17 07:53
Sender: Sylvain Beucler

Pushed via 6fa149197b105c7b9c2c70d6973a8eae304451d9

Date: 2014-09-16 14:54
Sender: Sylvain Beucler

Pushed for review - cf. https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=dd9d741c31245da764608f60505dacf11dd2b01e

Note that I'm ditching the previous cronjob.

Date: 2014-09-15 12:49
Sender: Sylvain Beucler

Agreed to switch to this method on IRC Meeting 2014-09-12.

No attached documents

No related commits.

Field Old Value Date By
status_idOpen2014-09-17 07:53
Sylvain Beucler
close_dateNone2014-09-17 07:53
Sylvain Beucler

No relations found.