Debian Bug report logs - #560148
openssh-server - Please support multiple AuthorizedKeysFile

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh (PTS, buildd, popcon).

Reported by: Bastian Blank <waldi@debian.org>

Date: Wed, 9 Dec 2009 09:48:02 UTC

Severity: wishlist

Tags: fixed-upstream, patch, upstream

Merged with 76312

Found in version openssh/1:5.1p1-8

Fixed in version openssh/1:5.9p1-1

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.mindrot.org/show_bug.cgi?id=172

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#560148; Package openssh-server. (Wed, 09 Dec 2009 09:48:06 GMT) (full text, mbox, link).

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Wed, 09 Dec 2009 09:48:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: openssh-server
Version: 1:5.1p1-8
Severity: wishlist

Please support multiple occurances of the AuthorizedKeysFile option,
like HostKey. I want to provision keys for admin users without writing
into /home. A similar setup is done with help of a workaround
(AuthorizedKeysFile2) on all debian.org machines.

Bastian

-- 
Captain's Log, star date 21:34.5...

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#560148; Package openssh-server. (Wed, 09 Dec 2009 11:54:02 GMT) (full text, mbox, link).

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Wed, 09 Dec 2009 11:54:02 GMT) (full text, mbox, link).

Message #10 received at 560148@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tags 560148 patch
thanks

Please find the patch attached. It changes the behaviour to allow
multiple instances of the AuthorizedKeysFile option and should also
maintain the behaviour of the AuthorizedKeysFile2 option.

It is overly tested for the ssh2 part. But the ssh1 part only builds.

Bastian

-- 
Deflector shields just came on, Captain.

[diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Wed, 09 Dec 2009 11:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Wed, 09 Dec 2009 14:48:04 GMT) (full text, mbox, link).

Message #17 received at 560148@bugs.debian.org (full text, mbox, reply):

On Wed, Dec 09, 2009 at 12:51:34PM +0100, Bastian Blank wrote:
> Please find the patch attached. It changes the behaviour to allow
> multiple instances of the AuthorizedKeysFile option and should also
> maintain the behaviour of the AuthorizedKeysFile2 option.
> 
> It is overly tested for the ssh2 part. But the ssh1 part only builds.

Thanks for the patch. Could you please send this upstream, to
bugzilla.mindrot.org? It's usually best if patch submitters do this
directly. I have bad experiences with changing configuration file
semantics relative to openssh upstream, and try very hard to avoid doing
it.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Wed, 09 Dec 2009 19:12:07 GMT) (full text, mbox, link).

Message #22 received at 560148@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

regarding the patch to support multiple authorizedkeysfile configuration
choices for sshd [0]:

AuthorizedKeysFile currently is not supported by the Match keyword.  If
this feature of multiple AuthorizedKeysFile entries was supported, it
would be ambiguous for use within a Match block (e.g. would a new
AuthorizedKeysFile within a Match be a replacement for the generic
AuthorizedKeysFile, or would it be in addition to?).

Martin Krafft's proposal for an authorized_keys directory [1] would
permit system configuration of the type Bastian is proposing through the
use of symlinks like this:

 mkdir /etc/ssh/authorized_keys/user17
 ln -s ~user17/.ssh/authorized_keys /etc/ssh/authorized_keys/user17/

and set:
   AuthorizedKeysFile /etc/ssh/authorized_keys/%u

This would allow future inclusion of AuthorizedKeysFile in a Match block
(as an unambiguous override of other settings).

	--dkg

[0] http://bugs.debian.org/560148
[1] http://bugs.debian.org/481251

[signature.asc (application/pgp-signature, attachment)]

Set Bug forwarded-to-address to 'https://bugzilla.mindrot.org/show_bug.cgi?id=172'. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Wed, 09 Dec 2009 20:54:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#560148; Package openssh-server. (Thu, 10 Dec 2009 16:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to Bastian Blank <bastian@waldi.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Thu, 10 Dec 2009 16:57:02 GMT) (full text, mbox, link).

Message #29 received at 560148@bugs.debian.org (full text, mbox, reply):

[ Please note that mails to $bug@bugs.debian.org are not sent to the
[ submitter, please also add $bug-submitter@bugs.debian.org to the
[ recipients.

On Wed, Dec 09, 2009 at 02:11:31PM -0500, Daniel Kahn Gillmor wrote:
> AuthorizedKeysFile currently is not supported by the Match keyword.  If
> this feature of multiple AuthorizedKeysFile entries was supported, it
> would be ambiguous for use within a Match block (e.g. would a new
> AuthorizedKeysFile within a Match be a replacement for the generic
> AuthorizedKeysFile, or would it be in addition to?).

This bug is actually written with my second variant in use. The first
one used a _list_ of entries in AuthorizedKeysFile to make that not
ambiguous. This however would need another metacharacter to split the
entries.

> Martin Krafft's proposal for an authorized_keys directory [1] would
> permit system configuration of the type Bastian is proposing through the
> use of symlinks like this:
>  mkdir /etc/ssh/authorized_keys/user17
>  ln -s ~user17/.ssh/authorized_keys /etc/ssh/authorized_keys/user17/

The core problem includes two such directories. One machine specific in
/etc/ssh and one network specific somewhere else with several hundred
users.

Bastian

-- 
Is truth not truth for all?
		-- Natira, "For the World is Hollow and I have Touched
		   the Sky", stardate 5476.4.

Merged 76312 560148. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Wed, 22 Jun 2011 10:39:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Oct 2011 07:32:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 25 13:36:24 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #560148 openssh-server - Please support multiple AuthorizedKeysFile

Debian Bug report logs - #560148
openssh-server - Please support multiple AuthorizedKeysFile