[Da-tools-discuss] Per user ssh key files patch

Mark Hymers mhy at debian.org
Wed Dec 26 22:54:09 UTC 2007


Hi,

As some of you may remember, there was a discussion about using per-user
ssh-key files instead of the current monolithic one.  The attached patch
implements this.  This, along with the shadow patch I commited earlier
today (and pam_mkhomedir), would allow us to move away from having to
have a patched openssh.

I haven't commited this to -common yet as I'd like comments on it.  I'm
not entirely sure that the implementation is perfect yet.  For instance,
should the chowning of the per-user files be done in ud-replicate (as
I've done here), or on the master side at ud-generate time?  Also, it
might be worth limiting which ssh keys we send to which hosts (so, for
instance, there's absolutely no point in sending ssh keys for every user
to a restricted host).  These should be relatively easy to fix however.

I've tested using this with an etch sshd and the following config line:

AuthorizedKeysFile2     /var/lib/misc/localhost/ssh-rsa-shadow-%u

Obviously, localhost should be replaced with the actual machine name.

Thoughts?

Mark

-- 
Mark Hymers <mhy at debian dot org>

"I've had people claim that they actually make the sun rise rise every
 morning.  I've offered to test them by shooting them.  So far all these
 people have not responded to my endeavours."
     James Randi on BBCi Live Chat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: multiplesshkeys.diff
Type: text/x-diff
Size: 4471 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/da-tools-discuss/attachments/20071226/b969f246/attachment.diff 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/da-tools-discuss/attachments/20071226/b969f246/attachment.pgp 


More information about the Da-tools-discuss mailing list