Here is a patch to allow private key files to be placed system wide (for all users) in a secure (non-NFS) mounted location on systems where home directories are NFS mounted. This addresses an important security hole on systems where home directories are NFS mounted, particularly if there are users who use blank passphrases (or when lpd is tunneled through ssh on systems running lpd as user lp) instead of ssh-agent. IdentityFile now accepts the same %u, %h, %% options that AuthorizedKeysFile accepts (see man sshd). For example, one can specify a user-dependent IdentityFile in ssh_config: IdentityFile /ssh/%u/id_rsa
Created attachment 1076 [details] User-dependent IdentityFile portable version
Created attachment 1077 [details] User-dependent IdentityFile OpenBSD version
Comment on attachment 1077 [details] User-dependent IdentityFile >diff -ru ssh/ssh-keygen.c sshJ/ssh-keygen.c >--- ssh/ssh-keygen.c 2005-11-28 19:04:55.000000000 -0700 >+++ sshJ/ssh-keygen.c 2006-02-21 15:52:36.000000000 -0700 ... >+ /* Read systemwide configuration file after user config. */ >+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, hostname, &options, 0); I don't think we want the other tools to depend on ssh_config. >--- ssh/ssh.c 2005-12-19 21:41:07.000000000 -0700 >+++ sshJ/ssh.c 2006-02-21 15:52:36.000000000 -0700 ... > for (; i < options.num_identity_files; i++) { > filename = tilde_expand_filename(options.identity_files[i], > original_real_uid); >+ filename = percent_expand(filename, "h", pw->pw_dir, >+ "u", pw->pw_name, (char *)NULL); > public = key_load_public(filename, NULL); This leaks memory. Also, I think it would be better to have: %u -> user %h -> local hostname %d -> home directory I'll attach a revised patch
Created attachment 1083 [details] Revised diff This diff fixes the memory leak and uses the mnemonics from Comment #3. Note that the diff doesn't touch ssh-keygen.
(In reply to comment #3) > Also, I think it would be better to have: > > %u -> user > %h -> local hostname > %d -> home directory The current uses of percent_expand() are, with this proposal at the bottom: ClHost ClUser SrvHost SrvUser SrvPort Homedir authorized_keys %u %h ControlPath %l %h %r %p ProxyCommand %h %p IdentityFile %h %u %d To keep the client-side consistent, those could be: %u -> local user %l -> local hostname %d -> home directory The following might also be useful: %h -> remote host %r -> remote username
Created attachment 1097 [details] Improved diff, with dtucker's suggestions Good points Darren, revised diff attached.
*** Bug 95 has been marked as a duplicate of this bug. ***
Comment on attachment 1097 [details] Improved diff, with dtucker's suggestions Looks and tests fine here. I would have used something other than "me" ("thishost"? "lhost"?) to prevent confusing it with the local user name.
Patch applied (with s/me/thishost/) and will be in 4.4. Thanks
With the release of 4.4, we believe that this bug is now closed. For information about the release please see http://www.openssh.com/txt/release-4.4 .