Re: Feature rqst/Patch: Attempted key's fp in env to AuthorizedKeysCommand

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 10/09/2014 02:38 PM, Micah Cowan wrote:
> Hello. My employer (Akamai Technologies) had a case where they wanted to
> manage a large number (tens of thousands) of authorized keys for a
> single user.
> 
> I'm sure there may be alternatives to that sort of use case, but at any
> rate it was decided that the simplest way to proceed would be to use
> OpenSSH's AuthorizedKeysCommand config option, with the extension that
> the attempted key's fingerprint would be placed in the environment of
> the command, so that it could use it as an index, and limit its output
> to only the relevant key, so that OpenSSH wouldn't spin around,
> linearly processing large number of keys to be thrown away in a moment.

Thanks for working on this, Micah, and for publishing your patch.  are
you aware of:

  https://bugzilla.mindrot.org/show_bug.cgi?id=2081

This feedback should probably go to that bug report.

fwiw, i think if we're supplying the key, there's no sense in supplying
just the fingerprint -- go ahead and supply the whole key, and let the
authorizedkeyscommand do whatever digesting it wants to do.

	--dkg

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux