New ask Hacker News story: Ask HN: SSH – authorized_keys comment field format (best practices)?
Ask HN: SSH – authorized_keys comment field format (best practices)?
3 by vaporup | 1 comments on Hacker News.
Hi, I know about SSH certificates and we use them primarily but we still have systems which use classic pubkeys managed in authorized_keys From authorized_keys (5) Public keys consist of the following space-separated fields: options keytype base64-encoded-key comment The options field is optional The comment field is not used for anything (but may be convenient for the user to identify the key) What I often find is something like this ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a user@host which makes it hard to find out how to contact that key owner. So I often use this format: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a user@domain.com Currently I am thinking about a more generic format with more info which can be parsed later by Bash, Go or something else. Something like this: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a o:user1@host1|e:user1@domain.com|p:manage-vhosts|t:2024-02-21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICebzmkN9HFcnTfcugV+8sAC1nI9itIL0uriy8lmTc7L o:user2@host2|p:manage-users . awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^o:/ {print "origin="$2}' awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^e:/ {print "email="$2}' awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^p:/ {print "purpose="$2}' awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^t:/ {print "timestamp="$2}' . origin=user1@host1 origin=user2@host2 email=user1@domain.com purpose=manage-vhosts purpose=manage-users timestamp=2024-02-21 - What do you use? - Are there any best practices? - Any ideas, comments? (pun intended)
3 by vaporup | 1 comments on Hacker News.
Hi, I know about SSH certificates and we use them primarily but we still have systems which use classic pubkeys managed in authorized_keys From authorized_keys (5) Public keys consist of the following space-separated fields: options keytype base64-encoded-key comment The options field is optional The comment field is not used for anything (but may be convenient for the user to identify the key) What I often find is something like this ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a user@host which makes it hard to find out how to contact that key owner. So I often use this format: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a user@domain.com Currently I am thinking about a more generic format with more info which can be parsed later by Bash, Go or something else. Something like this: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5EYh69EeIDiVYxgy6O4fUWoxiT4cRxb8JkLdikE27a o:user1@host1|e:user1@domain.com|p:manage-vhosts|t:2024-02-21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICebzmkN9HFcnTfcugV+8sAC1nI9itIL0uriy8lmTc7L o:user2@host2|p:manage-users . awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^o:/ {print "origin="$2}' awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^e:/ {print "email="$2}' awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^p:/ {print "purpose="$2}' awk '$NF ~ /^.:/ {print $NF}' ~/.ssh/authorized_keys | tr '|' '\n' | awk -F':' '/^t:/ {print "timestamp="$2}' . origin=user1@host1 origin=user2@host2 email=user1@domain.com purpose=manage-vhosts purpose=manage-users timestamp=2024-02-21 - What do you use? - Are there any best practices? - Any ideas, comments? (pun intended)
Comments
Post a Comment