-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Isn't it wonderful when you sound like a complete idiot on a public forum?
So, lesson #1 is to not post before the morning caffeine. That said, I just re-tested this on Fedora 15 and SSH doesn't care if the authorized_keys file is owned by the user or root. It does, however, care if it's owned by a different user. So, I would like to change this request to allow the key to be owned by either the user or root (which was the purpose of my original request anyway). Thanks! Trevor On 09/01/2011 05:20 AM, Trevor Vaughan wrote: > ssh_authorized_keys can be owned by anyone. > > Think of how git works. The file is owned by git/gitosis/whatever, but you > log in as yourself. This is the whole point of ssh_authorized_keys and one > way that it can be abused. > > In my tests, SSH doesn't care one way or the other who it's owned by so long > as it's not world writable. > > Trevor > > On 08/30/2011 06:27 PM, Kelsey Hightower wrote: >> One use case where it may not be desirable to have users own the keys >> is in centralized ssh key setups backed by LDAP and PAM >> authentication. In this specific case all keys are stored in a central >> location such as /etc/ssh-public-keys/*.pub. The keys are only read by >> PAM (root) during the authentication phase. > > - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJOX14ZAAoJECNCGV1OLcyp3ocH/30zkn8ZFQhM61rYQG3zdJ51 9Ks9tO2TPwtWxsHD9YuR6uIzVChS3PLg9AWxO+dbH1GC1xjRMAGgQv6YYjdg0ViD AU8/ZaJXMzT0qrvWT2kfnVaqiFNgvX5ul80ZmitIQJHA3X7tI5wRwOm9Os0nwkk3 Og1nQ42ofYZ82cAs7FfRHAtg/a+IE2yPnC9rNWcw5XiULM6wt0M51gGUSCbEXtfC z54ExWlYCG9honvuuaWCzbchuiJaiMvmxhGh7xMsQ6CCBkpLU90Cf1+SOL41u1fY B47e4kE55n8MoB3dS37X9p0JkIAHpn6ndps2gkRB9B4cYd0JWnL7kDMvkV8ljKk= =LPAu -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
<<attachment: tvaughan.vcf>>
