Bug 2932 - Support customised AuthorizedKeysFile on the remote host
Summary: Support customised AuthorizedKeysFile on the remote host
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-copy-id (show other bugs)
Version: 7.9p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-20 06:37 AEDT by John Drinkwater
Modified: 2021-04-23 15:08 AEST (History)
2 users (show)

See Also:


Attachments
[PATCH] Support for sshd authorizedkeysfile variable (2.32 KB, patch)
2018-11-20 06:37 AEDT, John Drinkwater
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Drinkwater 2018-11-20 06:37:31 AEDT
Created attachment 3207 [details]
[PATCH] Support for sshd authorizedkeysfile variable

For servers that do not default to ~/.ssh/authorized_keys, adding keys to their specific file requires further steps to fix on the host.

It’s possible once ssh’d into a box to run `sshd -T` to get the variable for authorized_keys for this user, so this supplied patch does that. Patch also does expansion for %%, %u, %h, and tries to default back to ~/.ssh/authorized_keys if there is a failure.

My concern, though, is that even though the sshd_config manfile suggests quotation support (Arguments may optionally be enclosed in double quotes (") in order to represent arguments containing spaces.) for these variables, the output of `sshd -T` is bare:

john@hydrogen ~ ❯ grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile	"quoted file name" settings/config/ssh/authorized_keys
john@hydrogen ~ ❯ sshd -T 2> /dev/null | grep authorizedkeysfile
authorizedkeysfile quoted file name settings/config/ssh/authorized_keys
john@hydrogen ~ ❯ sshd -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017

Which suggests this patch is not good enough as it is to support these configurations.
Comment 1 Jakub Jelen 2018-11-20 19:18:26 AEDT
sshd_config is not generally readable for normal users so your patch will actually work only for root logins.
Comment 2 John Drinkwater 2018-11-20 23:33:52 AEDT
(In reply to Jakub Jelen from comment #1)
> sshd_config is not generally readable for normal users so your patch
> will actually work only for root logins.

What do you mean by generally here, just Red Hat distros? most non-Ubuntu? For example it’s readable via sshd on these Debian installs, for normal and root users.

Fully understand that ssh-copy-id is likely not where the work should be done to make this feature happen.
Comment 3 John Drinkwater 2018-11-21 01:15:19 AEDT
Think if I could get a patch into sshd to publish SSH_AUTHORIZEDKEYFILE during environment creation, this patch would be cleaner and fallback would still be supported for old versions:
eg  ${SSH_AUTHORIZEDKEYFILE:=.ssh/authorized_keys}, though it would still need the extra dirname.
Comment 4 Damien Miller 2019-01-22 22:30:51 AEDT
First, we don't maintain ssh-copy-id though we do ship it in contrib/ as a convenience. The maintainer is Phil Hands and he has a git tree at http://git.hands.com/ssh-copy-id.git

I don't think we're interested in exposing the sshd_config via environment variables - there are many options that people might want (too many for us to support all conceivable ones), but all of them are pretty niche.
Comment 5 Damien Miller 2021-04-23 15:08:48 AEST
closing resolved bugs as of 8.6p1 release