On 10/09/2014 02:38 PM, Micah Cowan wrote: > Hello. My employer (Akamai Technologies) had a case where they wanted to > manage a large number (tens of thousands) of authorized keys for a > single user. > > I'm sure there may be alternatives to that sort of use case, but at any > rate it was decided that the simplest way to proceed would be to use > OpenSSH's AuthorizedKeysCommand config option, with the extension that > the attempted key's fingerprint would be placed in the environment of > the command, so that it could use it as an index, and limit its output > to only the relevant key, so that OpenSSH wouldn't spin around, > linearly processing large number of keys to be thrown away in a moment. Thanks for working on this, Micah, and for publishing your patch. are you aware of: https://bugzilla.mindrot.org/show_bug.cgi?id=2081 This feedback should probably go to that bug report. fwiw, i think if we're supplying the key, there's no sense in supplying just the fingerprint -- go ahead and supply the whole key, and let the authorizedkeyscommand do whatever digesting it wants to do. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev