[SiliconAlley]

I promised I would ask this next time there was a Flynn post. Having tried to hack a PaaS like this with git "push-to-deploy" functionality, one of the most problematic components to implement was SSH authentication. Getting a workable but unscalable solution was easy by just writing "forced command" entries to the ~/.ssh/authorized_keys file, but getting a scalable solution seemed to require hacking OpenSSHd to check public keys against a database (this is what github does, and requires patching and recompiling OpenSSHd). How is Flynn doing key lookup for the push-to-deploy?

[Titanous]

There are three options:

1) Change authorized_keys after each user modification.

2) Use OpenSSH with a custom PAM module or patch that does database lookups.

3) Use an SSH library to implement a custom server that only handles git pushes and does database lookups.

We have not decided which method to use yet.

[gklein]

You have some other options to solve that: - SSH Key management with SKM - SSH Key DB - Openssh LPK (SSH Patch that supports LDAP) - Openssh Ldap Publickey

I believe that Openssh Ldap Publickey is one of the best options cause it does not require any patches or file syncing and it keeps the public keys in a central LDAP server.

1. https://sites.google.com/site/jeromeboismartel/code-s-corner... 2. https://code.google.com/p/ssh-keydb/ 3. https://code.google.com/p/openssh-lpk/ 4. https://github.com/AndriiGrytsenko/openssh-ldap-publickey

[SiliconAlley]

When I was doing this, I was leaning toward going the 3rd approach, but it seemed a really momentous undertaking. That would definitely be a boon to the future of PaaS projects though, because it seems like OpenSSH doesn't really have the use-case in mind, plus I hate the idea of hacking something as fundamental as OpenSSH on my machine to do development work on a single project