openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: backdoor by authorized_keys2 leftovers

Re: backdoor by authorized_keys2 leftovers

From: Iain Morgan <imorgan_at_nospam>
Date: Wed May 11 2011 - 18:20:30 GMT
To: 聲gel Gonz嫮ez <keisial@gmail.com>

On Wed, May 11, 2011 at 12:24:16 -0500, 聲gel Gonz嫮ez wrote:
> Iain Morgan wrote:
> > I was going to suggest something similar, but you beat me to it. :-)
> >
> > One scenario that could potentially be useful in a cluster environment
> > would be to allow per-host authorized_keys files. Support for the
> > following syntax might be useful:
> >
> > AuthorizedKeysFile %h/.ssh/authorized_keys.%H,%h/.ssh/authorized_keys
> >
> > where '%H' would be expanded as the server's hostname. (I don't
> > particulary like '%H', but '%h' is already used.)
> >
> > This would allow clusters which use a shared home filesystem to have
> > authorized_keys files which are tailored for a specific host and the
> > capability to fall back to a more generic file in the absence of a
> > host-specific one.
> >
> > By the way, I applaud getting rid of the old cruft.
> To fall back? As I understood it, they would be additive.
>

By "fall back," I didn't necessarily mean "stop at the first file," but
there might be some scenarios where that behaviour is desirable.
However, most of the discussion on this list has been with the
expectation that all files would be examined.

-- Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev