Feature Request
Environment
All
Desired Feature
Ignition's model for writing SSH keys to disk assumes that update-ssh-keys is distributed as part of the OS. That is, it assumes that SSH keys should be written into ~/.ssh/authorized_keys.d/<file>, and then all files in authorized_keys.d should be merged into authorized_keys. Because Ignition carries utility code to handle the merging, doesn't invoke update-ssh-keys directly, and only runs on the first boot, the consequences of this assumption are limited: there's an extra ~/.ssh/authorized_keys.d/coreos-ignition file that mirrors what's written into .ssh/authorized_keys.
However, update-ssh-keys is a hack for supporting authorized_keys.d directories without any cooperation from sshd. It changes the workflow of updating SSH keys and isn't used on other distros; Fedora CoreOS and Red Hat CoreOS currently do not intend to ship it. Instead, in the short term, Fedora CoreOS will have special-case support for authorized_keys.d files written by individual tools, and in the medium term it will add generic support for the key directory (coreos/fedora-coreos-tracker#139 (comment)).
Change the Ignition master branch as follows:
Feature Request
Environment
All
Desired Feature
Ignition's model for writing SSH keys to disk assumes that update-ssh-keys is distributed as part of the OS. That is, it assumes that SSH keys should be written into
~/.ssh/authorized_keys.d/<file>, and then all files inauthorized_keys.dshould be merged intoauthorized_keys. Because Ignition carries utility code to handle the merging, doesn't invokeupdate-ssh-keysdirectly, and only runs on the first boot, the consequences of this assumption are limited: there's an extra~/.ssh/authorized_keys.d/coreos-ignitionfile that mirrors what's written into.ssh/authorized_keys.However,
update-ssh-keysis a hack for supportingauthorized_keys.ddirectories without any cooperation from sshd. It changes the workflow of updating SSH keys and isn't used on other distros; Fedora CoreOS and Red Hat CoreOS currently do not intend to ship it. Instead, in the short term, Fedora CoreOS will have special-case support forauthorized_keys.dfiles written by individual tools, and in the medium term it will add generic support for the key directory (coreos/fedora-coreos-tracker#139 (comment)).Change the Ignition master branch as follows:
authorized_keys.dfragment intoauthorized_keys. Instead, only write the fragment file..ssh/authorized_keysvia thedistropackage for distros that don't want to supportauthorized_keys.d.