On Sat, Jul 9, 2016 at 10:30 AM, Ben Lindstrom <mouring@xxxxxxxxxxxxx> wrote: > You'd do this by either moving the authorized_keys to another a root owned > location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile > /etc/ssh/keys/authorized_keys.%u). Or you use "AuthorizedKeysCommand" and > put the keys into a "database" to reference them via a simple root-owned > program. Yeah, that's doable. It's very rare, though. Many people prefer not to touch the default sshd_config if they can avoid it. And maintaining those keys as the root user to lock these credentials may not be work most admins want to take on. > Personally I'd use the AuthorizedKeysCommand for this setup as it would > provide for a better programmatic way of managing keys. > > - Ben Then you have to write, or activate and maintain, yet another tool. Feasible, but not many folks consider it worth the work. I've *done* things like that, way back with some "one-time password" tools I used back in the remote 9600 baud modem era. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
