Bug 2932 - Support customised AuthorizedKeysFile on the remote host
Summary: Support customised AuthorizedKeysFile on the remote host
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-copy-id (show other bugs)
Version: 7.9p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-20 06:37 AEDT by John Drinkwater
Modified: 2021-04-23 15:08 AEST (History)
2 users (show)

See Also:

Attachments
[PATCH] Support for sshd authorizedkeysfile variable (2.32 KB, patch)
2018-11-20 06:37 AEDT, John Drinkwater 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Drinkwater 2018-11-20 06:37:31 AEDT 
Created attachment 3207 [details]
[PATCH] Support for sshd authorizedkeysfile variable

For servers that do not default to ~/.ssh/authorized_keys, adding keys to their specific file requires further steps to fix on the host.

It’s possible once ssh’d into a box to run `sshd -T` to get the variable for authorized_keys for this user, so this supplied patch does that. Patch also does expansion for %%, %u, %h, and tries to default back to ~/.ssh/authorized_keys if there is a failure.

My concern, though, is that even though the sshd_config manfile suggests quotation support (Arguments may optionally be enclosed in double quotes (") in order to represent arguments containing spaces.) for these variables, the output of `sshd -T` is bare:

john@hydrogen ~ ❯ grep AuthorizedKeysFile /etc/ssh/sshd_config
AuthorizedKeysFile	"quoted file name" settings/config/ssh/authorized_keys
john@hydrogen ~ ❯ sshd -T 2> /dev/null | grep authorizedkeysfile
authorizedkeysfile quoted file name settings/config/ssh/authorized_keys
john@hydrogen ~ ❯ sshd -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017

Which suggests this patch is not good enough as it is to support these configurations.
Comment 1 Jakub Jelen 2018-11-20 19:18:26 AEDT 
sshd_config is not generally readable for normal users so your patch will actually work only for root logins.
Comment 2 John Drinkwater 2018-11-20 23:33:52 AEDT 
(In reply to Jakub Jelen from comment #1)
> sshd_config is not generally readable for normal users so your patch
> will actually work only for root logins.

What do you mean by generally here, just Red Hat distros? most non-Ubuntu? For example it’s readable via sshd on these Debian installs, for normal and root users.

Fully understand that ssh-copy-id is likely not where the work should be done to make this feature happen.
Comment 3 John Drinkwater 2018-11-21 01:15:19 AEDT 
Think if I could get a patch into sshd to publish SSH_AUTHORIZEDKEYFILE during environment creation, this patch would be cleaner and fallback would still be supported for old versions:
eg  ${SSH_AUTHORIZEDKEYFILE:=.ssh/authorized_keys}, though it would still need the extra dirname.
Comment 4 Damien Miller 2019-01-22 22:30:51 AEDT 
First, we don't maintain ssh-copy-id though we do ship it in contrib/ as a convenience. The maintainer is Phil Hands and he has a git tree at http://git.hands.com/ssh-copy-id.git

I don't think we're interested in exposing the sshd_config via environment variables - there are many options that people might want (too many for us to support all conceivable ones), but all of them are pretty niche.
Comment 5 Damien Miller 2021-04-23 15:08:48 AEST 
closing resolved bugs as of 8.6p1 release