Browse files

allow non-gitolite keys to have options/command, etc

Apparently, ssh-keygen can take fingerprints of entire authkeys files
also.  This is totally undocumented.

Since 'man ssh-keygen' only says: "Show fingerprint of specified public
key file." and makes no mention of authorized_keys files, I had assumed
that it treated a file containing this

    command="/usr/bin/backup" ssh-rsa .....

(i.e., a non-gitolite key that nevertheless contains a command) as just
a special type of pubkey file.  This meant, to me, that the presence or
absence of a newline should not matter, because *without* the 'command='
it certainly doesn't.

But what's actually happening is that it is treating this as an
authorized_keys file, and in *that* mode, it requires a newline.

I still don't see why it should require a newline as a *terminator*;
having it as a *separator* should be sufficient, but it's pointless to
argue about that when the feature itself is undocumented.

Wizmaster (code at wizmaster at fr) had to dig into the openssh source
code to figure this out and explain it to me.
  • Loading branch information...
1 parent 293df79 commit a1aba93b6080fa2406ab73a9d88c5f0925bfeeee @sitaramc committed Feb 18, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 src/triggers/post-compile/ssh-authkeys
2 src/triggers/post-compile/ssh-authkeys
@@ -121,7 +121,7 @@ sub fp_file {
sub fp_line {
my ( $fh, $fn ) = tempfile();
- print $fh shift;
+ print $fh shift . "\n";
close $fh;
my $fp = fp_file($fn);
unlink $fn;

0 comments on commit a1aba93

Please sign in to comment.