On Mon, Jun 02, 2008 at 09:02:50AM +0100, Philip Hands wrote: > On Mon, Jun 02, 2008 at 01:48:29AM +0200, Joerg Jaspert wrote: > > On 11403 March 1977, Steve Langasek wrote:
> > > So tagging a key as belonging to a particular host is insufficient - we > > > need > > > the full authorized_keys semantics for setting key options (from=, > > > command=, > > > no-port-forwarding, no-X11-forwarding, at least). > > And? You have that already, just add that in front of your key as you > > would normally do. ud-ldap passes it. It really "only" needs the > > "host=gluck,merkel,whatever" addition to also limit it to target hosts > > and then all is there. > Actually, it occurs to me that one can already do a poor-man's version > of the host restriction by making the command option something like: > command="hostname | grep -q '^\(gluck\|merkel\|whatever\)$' && > ~/d-i/d-i-unpack-helper ..." > Then, once the host= feature is available it will be possible to upgrade > to using that in a moment (rather than having to go round tidying up > on each host) -- in fact, if people are consistent in using the above > incantation, we could even tweak them all in LDAP when the feature is added. > Steve, does that address your concerns? Yes, it does - thanks, I wasn't aware that ud-ldap supported the full semantics for ssh key options, I don't remember this ever having been made clear in the documentation. Actually, what https://db.debian.org/doc-mail.html currently says is: Part of the replicated dataset is a virtual .ssh/authorized_keys file for each user. The change address is the simplest way to set the RSA key(s) you intend to use. Simply place a key on a line by itself, the full SSH key format specification is supported, see sshd(8). Perhaps this could be clarified as: Part of the replicated dataset is a virtual .ssh/authorized_keys file for each user. The change address is the simplest way to set the RSA key(s) you intend to use. The full authorized_keys file format is supported; see sshd(8) for details. ? (and as long as someone's editing, s/enterity/entirety/ a couple of lines down :) Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
