Use ssh key internal api to build the authorized-keys command on openssh 6.9
Relates to https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/250 and partially solves gitlab-com/operations#99 (closed)
This adds a script that will be called from openssh
using AuthorizedKeysCommand feature that will send the ssh key that the user provided.
Security-wise, openssh
will only run this command when it has parsed a valid RSA or DSA key, it is going to encode it to base64 and just then call the command provided sending the key as an argument. I haven't found a way of skipping this unless you proactively configure openssh
wrongly.
The result of this call is to print the same line we are currently writing to the authorized_keys file, so the rest of security validations will just happen as they happen now. We just drop the need of going through the whole authorized_keys file as we do now.