search

simonsobs-uk / data-centre

This tracks the issues in the baseline design of the SO:UK Data Centre at Blackett
https://souk-data-centre.readthedocs.io
BSD 3-Clause "New" or "Revised" License
2 stars 1 forks source link

`$HOME/.ssh/authorized_keys` is centrally managed #5

Open ickc opened 1 year ago

ickc commented 1 year ago

Currently, $HOME/.ssh/authorized_keys will be overwritten periodically by central management system. But this is counter-intuitive from the expectation of the Filesystem Hierarchy Standard. A better approach would be putting it under /etc (Host-specific system configuration).

For example, use AuthorizedKeysFile in /etc/ssh/sshd_config:

# /etc/ssh/sshd_config
AuthorizedKeysFile /etc/ssh/%u/authorized_keys .ssh/authorized_keys

and put the centrally managed file in /etc/ssh/$USER/authorized_keys instead.

rwf14f commented 1 year ago

I agree, it would be better to change the configuration to centrally manage the authorized_keys file in /etc/ssh/. You would still not be allowed to change it though. We would change the configuration to only use the file in /etc/ssh, it would replace ~/.ssh/authorized_keys, not amend it.