On 3/8/06, stephen pierce wrote:
> I want to control access to my machines via public keys. I'm
> implanting the private key in a smartcard-like token, and giving the
> tokens to people for access. They'll use the tokens like smartcards,
> and ssh-agent can use those RSA keys on the tokens.
> However, I don't want people to authorize other public keys (ie, not
> on physical tokens) after they've logged in.
> How do I configure openssh so that it'll permit a public key for a
> user, without giving the user the oppertunity to change/add public
> keys to the authorized list?

You can modify the sshd_config to make sshd look for the keys in a
location where only root has write permissions.

AuthorizedKeysFile /etc/ssh/authorized_keys/%u