Before OpenSSH 8, AuthorizedKeysCommand came before AuthorizedKeysFile. From OpenSSH 8, AuthorizedKeysFile is always before AuthorizedKeysCommand. The determinate order is good for login behavior and security audit. >From the user side, can the order be set manually? A real use case for making AuthorizedKeysCommand before AuthorizedKeysFile: * The authorized_keys file is only used for emergency use. * Every login is checked by authorized keys command (it can use other servers to auth through the network), and the command can return "force nologin" to disable the keys in authorized_keys. * In emergency cases (eg: network failure, or command corruption), the emergency key in authorized_keys can still be used to recover the system. If OpenSSH server can introduce an option like "AuthorizedKeysOrder command,file", it would help a lot. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
