[Da-tools-discuss] Per user ssh key files patch

[Joerg Jaspert]

On 11245 March 1977, Mark Hymers wrote:

> As some of you may remember, there was a discussion about using per-user
> ssh-key files instead of the current monolithic one.  The attached patch
> implements this.  This, along with the shadow patch I commited earlier
> today (and pam_mkhomedir), would allow us to move away from having to
> have a patched openssh.

Yes!

> I haven't commited this to -common yet as I'd like comments on it.  I'm
> not entirely sure that the implementation is perfect yet.

Thats a perfect thing for a branch to test it. And we can test it using
DebConf hosts.
If you provide me a branch you are happy with I can do the rollout.

> For instance, should the chowning of the per-user files be done in
> ud-replicate (as I've done here), or on the master side at ud-generate
> time?  Also, it might be worth limiting which ssh keys we send to
> which hosts (so, for instance, there's absolutely no point in sending
> ssh keys for every user to a restricted host).  These should be
> relatively easy to fix however.

chown on target host in case you want to run "chown loginname file". On
the generating host you would need "chown id file", as that host usually
doesn't have the users. And do we need --numerical-ids for rsync then?

And yes, please limit the generation of keyfiles to those hosts users
have access too.


Aha, you currently do chown based on the filename in ud-replicate. Hrm,
a find loop and id calls. Run on every machine every 15 minutes. For
systems with multiple hundred users (debian) that might be bad.

-- 
bye Joerg
<liw> er, *not* what I meant, is what I meant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 250 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/da-tools-discuss/attachments/20071227/de3d22f6/attachment.pgp