Update README

* Some other minor updates

README.md

@@ -1,11 +1,21 @@
-# SSH Controls
+<p align="center"><img src="logo.png" alt="SSH Controls Logo"></p>
+
+## What's new
+
+:loudspeaker: **25/07/2025**:
+* added the creation of the `$HOME/.ssh` directory when running as `root`.
+
+## About
+
 SSH Controls is a light-weight SSH **public key** distribution & management framework
 
-* uses a **desired state** model: SSH Controls pushes public keys from a key master server onto client host and applies them according to the central configuration.
+* uses a **desired state** model: SSH Controls *pushes* public keys from a key master (or slave) server onto client host(s) and applies them according to the central configuration.
 
 * uses **SSH** as **transport** mechanism: eat your own dog food. SSH Controls connects to client hosts through the secure path of SSH and using a public key that is under its own control.
 
-* **shields** public keys from owners/users on client systems: SSH Controls requires the standard sshd_config to be reconfigured with an alternate path for the AuthorizedKeysFile setting so that public keys are stored in common location which cannot be manipulated by the owners of the public keys. This allows for more administrative control and better security. 
+* supports a **Master→Slave→Client** model so that information can be propagated within more complex LAN set-ups.
+
+* can **shield** public keys from owners/users on client systems: SSH Controls may require the standard `sshd_config` to be reconfigured with an alternate path for the `AuthorizedKeysFile` setting so that public keys are stored in common location which cannot be manipulated by the owners of the public keys. This allows for more administrative control and better security.
 
 * performs operations with **least privileges**: copy/distribute operations are performed with a low-privileged account. Only the actual key updates requires super-user privileges which need to be configured via SUDO.
 
@@ -13,10 +23,16 @@ SSH Controls is a light-weight SSH **public key** distribution & management fram
 
 * can assign a single public key to **multiple** OS accounts: SSH Controls allows an user to log on under multiple accounts using the same key. Auditing of the connecting user and the target account is possible using fingerprinting.
 
-* allows the use of (nested) **groups** in the master configuration: users, keys and hosts can be grouped in the SSH master configuration files to allow a simplified configuration. Nesting of groups is allowed up to one level deep.
+* allows the use of (nested) **groups** in the master configuration: users, keys and hosts can be grouped in the SSH master configuration files to allow a simplified configuration. Nesting of groups is allowed up to *5 levels* deep.
+
+* allows the use of (nested) **groups** in the specification of the *push* targets. Either via the `--targets` command-line parameter or via the `targets` configuration file.
 
 * allows compromised public keys to be **blacklisted**: SSH Controls will deny the use of public keys that have been administrative blacklisted. Blacklisting happens on the SSH master and is applied to all client hosts.
 
+* can discover host public keys to (re)create `known_hosts` file(s) for a large amount of hosts
+
+* supports *md5* and *sha512* fingerprint **hashes** (if the installed SSH version supports these hash types)
+
 * requires **no client agent** component and is **stateless**: SSH Controls performs operations by pushing keys or commands to client hosts. Update processes on the client hosts will only be started on-demand. If the SSH master is - for whatever reason - unavailable then active keys on a client host remain in place and logons are still possible.
 
 * is **easy** to **configure** and **maintain** (command-line based): the configuration is stored in a limited number of flat files and be easily updated. A very rudimentary syntax checking facility is also available to check the consistency of the most important (master) configuration files.
@@ -26,6 +42,6 @@ SSH Controls does NOT:
 
 * manage or distribute SSH **private keys**: SSH private keys should be controlled and managed (and safeguarded!) by the actual owners. Though one could consider SSH key pairs of generic accounts (such as application accounts) as an exception, SSH Controls currently does not support the management of private keys.
 
-* discover SSH **host keys**: SSH Controls will silently ignore any questions related to host keys discoveries upon the first connection to client hosts. If you are managing a large number of client hosts, you may want to prepare a known_hosts file in advance or else let the host keys be added automatically upon first public key distribution.
+More documentation can be found at <https://www.kudos.be/ssh_controls/>
 
-More documentation can be found at http://www.kudos.be/Projects/SSH_Controls.html
+*Logo created with [Free Logo Maker](https://logomakr.com)*

convert_pubkey.pl

@@ -2,7 +2,7 @@
 #******************************************************************************
 # @(#) convert_pubkey.pl
 #******************************************************************************
-# @(#) Copyright (C) 2014 by KUDOS BVBA <info@kudos.be>.  All rights reserved.
+# @(#) Copyright (C) 2014 by KUDOS BV <info@kudos.be>.  All rights reserved.
 #
 # This program is a free software; you can redistribute it and/or modify
 # it under the same terms of the GNU General Public License as published by
@@ -29,7 +29,7 @@ use Pod::Usage;
 
 # ------------------------- CONFIGURATION starts here -------------------------
 # define the V.R.F (version/release/fix)
-my $MY_VRF = "1.0.0";
+my $script_version = "2025-04-27";
 # always assume RSA keys!
 my $key_algo = 'ssh-rsa';
 # ------------------------- CONFIGURATION ends here --------------------------- 
@@ -62,7 +62,7 @@ pod2usage(-verbose => 0) unless (%options);
       
 # check version parameter
 if ($options{'version'}) {
-    print "INFO: $0: version $MY_VRF";
+    print "INFO: $0: version $script_version";
     exit (0);
 }
 # check help parameter
@@ -194,8 +194,4 @@ S<       >Show version of the script.
 
 =head1 AUTHOR
 
-(c) KUDOS BVBA, Patrick Van der Veken
-
-=head1 HISTORY
-
-@(#) 2014-12-20: VRF 1.0.0: first version [Patrick Van der Veken]
+(c) KUDOS BV, Patrick Van der Veken

manage_ssh.conf

@@ -13,17 +13,17 @@
 # (leave blank for current user)
 SSH_TRANSFER_USER=""
 
-# name of the OS group that should own the SSH controls files
+# name of the UNIX group that should own the SSH controls files (must exist already)
 SSH_OWNER_GROUP="sshadmin"
 
-# whether a 'chmod' needs to be executed after each sftp transfer [0=Yes; 1=No]
-DO_SFTP_CHMOD=0
+# whether a 'chmod' needs to be executed after each sftp transfer [0=No; 1=Yes]
+DO_SFTP_CHMOD=1
 
 # extra arguments/options for the SFTP command
-SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -b - "
+SFTP_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -o BatchMode=yes -b - "
 
 # extra arguments/options for the SSH command
-SSH_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -n"
+SSH_ARGS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -o BatchMode=yes -n"
 
 # location of the local SSH controls directory
 LOCAL_DIR="/etc/ssh_master"
@@ -32,12 +32,27 @@ LOCAL_DIR="/etc/ssh_master"
 REMOTE_DIR="/etc/ssh_controls/holding"
 
 # name of the user account performing the SSH controls update
-# (leave blank for current user but user should have remote sudo root privs)
+# (leave blank for current user running script)
+# user should have remote sudo root privs (except when using user 'root')
 SSH_UPDATE_USER=""
 
 # options to pass to update_ssh.pl when executing a key update
 SSH_UPDATE_OPTS="--verbose --remove"
 
+# path to the ssh-keyscan too
+SSH_KEYSCAN_BIN="/usr/bin/ssh-keyscan"
+
+# extra arguments/options for the ssh-keyscan command
+# by default -f <file> is used by manage_sudo.sh to supply hostnames, do not add here
+SSH_KEYSCAN_ARGS="-t rsa"
+
+# whether to start an SSH agent process for the master->client operations [0=No; 1=Yes]
+DO_SSH_AGENT=0
+
+# location of the SSH private key that should be added to the SSH agent process
+# must be a passphrase-less key (required when using DO_SSH_AGENT)
+SSH_PRIVATE_KEY="$HOME/.ssh/id_rsa"
+
 # maximum number of background process to spawn (~maxuprc, ~nstrpty etc)
 MAX_BACKGROUND_PROCS=30
 
@@ -47,6 +62,10 @@ BACKUP_DIR="${LOCAL_DIR}/backup"
 # location of log directory (default), see --log-dir)
 LOG_DIR="/var/log"
 
+# type of fingerpint (md5, sha256)
+FINGERPRINT_TYPE="md5"
+
+
 #******************************************************************************
 # End of FILE
 #******************************************************************************

update_ssh.conf

@@ -12,11 +12,22 @@
 # use short hostnames or FQDN (0=short names; 1=FQDN) [default: 0]
 use_fqdn=1
 
+# ignore errors during key deployment (0=no; 1=yes [default: 0])
+ignore_errors=0
+
 # target directory for allowed SSH key files
-access_dir=/etc/kudos/ssh_controls/keys.d
+access_dir=/etc/ssh_controls/keys.d
+
+# toggle to specify the final location of public keys by allowing to override
+# the value of $access_dir with the 'AuthorizedKeysFile' in sshd (=enables the
+# use of $HOME/.ssh for public keys for example):
+#   'use_controls': take the value from the configured 'access_dir' option
+#   'use_sshd'    : use the value from 'AuthorizedKeysFile' setting in sshd
+# [default: use_controls]
+key_location=use_controls
 
 # location of the keys blacklist file
-blacklist_file=/etc/kudos/ssh_controls/keys.blacklisted
+blacklist_file=/etc/ssh_controls/keys.blacklisted
 
 #******************************************************************************
 # End of FILE

update_ssh.pl

@@ -2,7 +2,7 @@
 #******************************************************************************
 # @(#) update_ssh.pl
 #******************************************************************************
-# @(#) Copyright (C) 2014 by KUDOS BVBA <info@kudos.be>.  All rights reserved.
+# @(#) Copyright (C) 2014 by KUDOS BV <info@kudos.be>.  All rights reserved.
 #
 # This program is a free software; you can redistribute it and/or modify
 # it under the same terms of the GNU General Public License as published by
@@ -41,23 +41,34 @@ use Pod::Usage;
 #******************************************************************************
 
 # ------------------------- CONFIGURATION starts here -------------------------
-# define the V.R.F (version/release/fix)
-my $MY_VRF = "1.2.0";
+# define the version (YYYY-MM-DD)
+my $script_version = "2025-07-25";
 # name of global configuration file (no path, must be located in the script directory)
 my $global_config_file = "update_ssh.conf";
 # name of localized configuration file (no path, must be located in the script directory)
 my $local_config_file = "update_ssh.conf.local";
+# maxiumum level of recursion for alias resolution
+my $max_recursion = 5;
 # selinux context labels of key files for different RHEL version
 my %selinux_contexts = ( '5' => 'sshd_key_t',
                          '6' => 'ssh_home_t',
-                         '7' => 'ssh_home_t');
+                         '7' => 'ssh_home_t',
+                         '8' => 'ssh_home_t',
+                         '9' => 'ssh_home_t',
+                         '10' => 'ssh_home_t');
+# disallowed paths for home directories for accounts
+my @disallowed_homes = ('/', '/etc', '/bin', '/sbin', '/usr/bin', '/usr/sbin');
+# disallowed login shells for @accounts
+my @disallowed_shells = ('/bin/nologin','/bin/false','/sbin/nologin','/sbin/false');
+# default toggle for key location
+my $key_location='use_controls';
 # ------------------------- CONFIGURATION ends here ---------------------------
 # initialize variables
-my ($debug, $verbose, $preview, $remove, $global, $use_fqdn) = (0,0,0,0,0,0);
+my ($debug, $verbose, $preview, $remove, $global, $use_fqdn, $ignore_errors) = (0,0,0,0,0,0,0);
 my (@config_files, @zombie_files, $access_dir, $blacklist_file);
 my (%options, @uname, @pwgetent, @accounts, %aliases, %keys, %access, @blacklist);
-my ($os, $hostname, $run_dir);
-my ($selinux_status, $selinux_context, $linux_version, $has_selinux) = ("","","",0);
+my ($os, $hostname, $run_dir, $authorizedkeys_option);
+my ($selinux_status, $selinux_context, $linux_version, $has_selinux, $recursion_count) = ("","","",0,1);
 $|++;
 
 
@@ -87,7 +98,7 @@ sub parse_config_file {
     my $config_file = shift;
 
     unless (open (CONF_FD, "<", $config_file)) {
-        do_log ("ERROR: failed to open the configuration file ${config_file} [$! $hostname]")
+        do_log ("ERROR: failed to open the configuration file ${config_file} [$!/$hostname]")
         and exit (1);
     }
     while (<CONF_FD>) {
@@ -96,14 +107,25 @@ sub parse_config_file {
         if (/^\s*$/ || /^#/) {
             next;
         } else {
-            if (/^\s*use_fqdn\s*=\s*([0-9]+)\s*$/) {
+            if (/^\s*use_fqdn\s*=\s*(0|1)\s*$/) {
                 $use_fqdn = $1;
                 do_log ("DEBUG: picking up setting: use_fqdn=${use_fqdn}");
             }
+            if (/^\s*ignore_errors\s*=\s*(0|1)\s*$/) {
+                $ignore_errors = $1;
+                do_log ("DEBUG: picking up setting: ignore_errors=${ignore_errors}");
+            }
             if (/^\s*access_dir\s*=\s*([0-9A-Za-z_\-\.\/~]+)\s*$/) {
                 $access_dir = $1;
                 do_log ("DEBUG: picking up setting: access_dir=${access_dir}");
             }
+            if (/^\s*key_location\s*=\s*(use_controls|use_sshd)\s*/) {
+                $key_location = $1;
+                do_log ("DEBUG: picking up setting: key_location=${key_location}");
+                if ($key_location eq 'use_sshd') {
+                    do_log ("DEBUG: applied setting: key_location=${key_location}");
+                }
+            }
             if (/^\s*blacklist_file\s*=\s*([0-9A-Za-z_\-\.\/~]+)\s*$/) {
                 $blacklist_file = $1;
                 # support tilde (~) expansion for ~root
@@ -148,12 +170,24 @@ sub set_file {
 
     my ($file, $perm, $uid, $gid) = @_;
 
-    chmod ($perm, "$file") 
-        or do_log ("ERROR: cannot set permissions on $file [$! $hostname]")
-        and exit (1);
-    chown ($uid, $gid, "$file")
-        or do_log ("ERROR: cannot set ownerships on $file [$! $hostname]")
-        and exit (1);   
+    my $rc = chmod ($perm, "$file");
+    if (!$rc) {
+        if ($ignore_errors) {
+            do_log ("ERROR: cannot set permissions on $file [$!/$hostname] -- IGNORED");
+        } else {
+            do_log ("ERROR: cannot set permissions on $file [$!/$hostname]");
+            exit (1);
+        }
+    }
+    my $rc = chown ($uid, $gid, "$file");
+    if (!$rc) {
+        if ($ignore_errors) {
+            do_log ("ERROR: cannot set ownerships on $file [$!/$hostname] -- IGNORED");
+        } else {
+            do_log ("ERROR: cannot set ownerships on $file [$!/$hostname]");
+            exit (1);
+        }
+    }
 
     return (1);
 }
@@ -174,6 +208,7 @@ if ( @ARGV > 0 ) {
                 debug|d
                 help|h|?
                 global|g
+                ignore|i
                 preview|p
                 remove|r
                 verbose|v
@@ -185,7 +220,7 @@ pod2usage(-verbose => 0) unless (%options);
 # check version parameter
 if ($options{'version'}) {
     $verbose = 1;
-    do_log ("INFO: $0: version $MY_VRF");
+    do_log ("INFO: $0: version $script_version");
     exit (0);
 }
 # check help parameter
@@ -197,6 +232,10 @@ if ($options{'help'}) {
 if ($options{'global'}) {
     $global = 1;
 }
+# check ignore parameter
+if ($options{'ignore'}) {
+    $ignore_errors = 1;
+}
 # check preview parameter
 if ($options{'preview'}) {
     $preview = 1;
@@ -226,7 +265,7 @@ $verbose = 1 if ($options{'verbose'});
 
 # where am I? (1/2)
 $0 =~ /^(.+[\\\/])[^\\\/]+[\\\/]*$/;
-my $run_dir = $1 || ".";
+$run_dir = $1 || ".";
 $run_dir =~ s#/$##;     # remove trailing slash
 
 # don't do anything without configuration file(s)
@@ -243,31 +282,20 @@ foreach my $config_file (@config_files) {
     parse_config_file ($config_file);
 }
 
-# is the target directory for keys present? (not for global preview)
-unless ($preview and $global) {
-    do_log ("INFO: checking for SSH control mode ...");
+# is the target directory for keys present? (not for global preview and
+# not when $key_location is use_sshd)
+unless (($preview and $global) or $key_location eq 'use_sshd') {
+    do_log ("INFO: checking for SSH controls mode ...");
     if (-d $access_dir) {
-        do_log ("INFO: host is under SSH control via $access_dir");
+        do_log ("INFO: host is under SSH controls via $access_dir");
+    } else {
+        if ($key_location eq 'use_sshd') {
+            do_log ("INFO: skipped check since public key location is determined by sshd [$hostname]")
         } else {
             do_log ("ERROR: host is not under SSH keys only control [$hostname]")
             and exit (1);
         }
     }
-
-# do we have a blacklist file? (optional) (not for global preview)
-unless ($preview and $global) {
-    do_log ("INFO: checking for keys blacklist file ...");
-    if (-f $blacklist_file) {
-        open (BLACKLIST, "<", $blacklist_file) or \
-            do_log ("ERROR: cannot read keys blacklist file [$! $hostname]") 
-                and exit (1);
-        @blacklist = <BLACKLIST>;
-        close (BLACKLIST);
-        do_log ("INFO: keys blacklist file found with ".scalar (@blacklist)." entr(y|ies) on $hostname");
-        print Dumper (\@blacklist) if $debug;
-    } else {
-        do_log ("WARN: no keys blacklist file found [$hostname]");  
-    }
 }
 
 # what am I?
@@ -289,6 +317,49 @@ if ($use_fqdn) {
 
 do_log ("INFO: runtime info: ".getpwuid ($<)."; ${hostname}\@${run_dir}; Perl v$]");
 
+# -----------------------------------------------------------------------------
+# handle blacklist file
+# -----------------------------------------------------------------------------
+
+# do we have a blacklist file? (optional) (not for global preview)
+unless ($preview and $global) {
+    do_log ("INFO: checking for keys blacklist file ...");
+    if (-f $blacklist_file) {
+        open (BLACKLIST, "<", $blacklist_file) or \
+            do_log ("ERROR: cannot read keys blacklist file [$!/$hostname]")
+                and exit (1);
+        @blacklist = <BLACKLIST>;
+        close (BLACKLIST);
+        do_log ("INFO: keys blacklist file found with ".scalar (@blacklist)." entr(y|ies) on $hostname");
+        print Dumper (\@blacklist) if $debug;
+    } else {
+        do_log ("WARN: no keys blacklist file found [$hostname]");
+    }
+}
+
+# -----------------------------------------------------------------------------
+# resolve and check key location
+# -----------------------------------------------------------------------------
+if ($key_location eq 'use_sshd') {
+
+    # get sshd setting but only take 1st path into account
+    $authorizedkeys_option = qx#sshd -T | grep "authorizedkeysfile" 2>/dev/null | cut -f2 -d' '#;
+    chomp ($authorizedkeys_option);
+    if (defined ($authorizedkeys_option)) {
+        do_log ("INFO: AuthorizedkeysFile resolves to $authorizedkeys_option [$hostname]");
+    } else {
+        do_log ("ERROR: unable to get AuthorizedkeysFile value from sshd [$hostname]")
+        and exit (1);
+    }
+} else {
+    # for SSH controls native logic we require an absolute path
+    if ($authorizedkeys_option =~ /^\//) {
+        do_log ("ERROR: option \$access_dir requires and absolute path [$hostname]")
+        and exit (1);
+    }
+    do_log ("DEBUG: applied default setting: key_location=${key_location}");
+}
+
 # -----------------------------------------------------------------------------
 # collect user accounts via getpwent()
 # result: @accounts
@@ -310,14 +381,14 @@ do_log ("INFO: ".scalar (@accounts)." user accounts found on $hostname");
 print Dumper (\@accounts) if $debug;
 
 # -----------------------------------------------------------------------------
-# read aliases for teams, servers and users
+# read aliases for teams, servers and users (and resolve group definitions)
 # result: %aliases
 # -----------------------------------------------------------------------------
 
 do_log ("INFO: reading 'alias' file ...");
 
 open (ALIASES, "<", "${run_dir}/alias")
-    or do_log ("ERROR: cannot read 'alias' file [$! $hostname]") and exit (1);
+    or do_log ("ERROR: cannot read 'alias' file [$!/$hostname]") and exit (1);
 while (<ALIASES>) {
 
     my ($key, $value, @values);
@@ -334,13 +405,45 @@ close (ALIASES);
 do_log ("DEBUG: dumping unexpanded aliases:");
 print Dumper (\%aliases) if $debug;
 
-# we can nest aliases one level deep, so do a one-level recursive sort of lookup
-# of the remaining '@' aliases. Input should be passed as comma-separated
-# string to resolve_aliases so don't forget to smash everything back together
-# first.
+# resolve aliases recursively to a maxium of $max_recursion
+while ($recursion_count <= $max_recursion) {
+    # crawl over all items in the hash %aliases
     foreach my $key (keys (%aliases)) {
-
-    $aliases{$key} = [resolve_aliases (join (",", @{$aliases{$key}}))]; 
+        # crawl over all items in the array @{aliases{$key}}
+        my @new_array; my @filtered_array;  # these are the working stashes
+        do_log ("DEBUG: expanded alias $key before recursion $recursion_count [$hostname]");
+        print Dumper (\@{$aliases{$key}}) if $debug;
+        foreach my $item (@{$aliases{$key}}) {
+            # is it a group?
+            if ($item =~ /^\@/) {
+                # expand the group if it exists
+                if ($aliases{$item}) {
+                    # add current and new items to the working stash
+                    if (@new_array) {
+                        push (@new_array, @{$aliases{$item}});
+                    } else {
+                        @new_array = (@{$aliases{$key}}, @{$aliases{$item}});
+                    }
+                    # remove the original group item from the working stash
+                    @filtered_array = grep { $_ ne $item } @new_array;
+                    @new_array = @filtered_array;
+                } else {
+                    do_log ("WARN: unable to resolve alias $item [$hostname]");
+                }
+            # no group, just add the item as-is to working stash
+            } else {
+                push (@new_array, $item);
+            }
+        }
+        # filter out dupes
+        my %seen;
+        @filtered_array = grep { not $seen{$_}++ } @new_array;
+        # re-assign working stash back to our original hash key
+        @{$aliases{$key}} = @filtered_array;
+        do_log ("DEBUG: expanded alias $key after recursion $recursion_count [$hostname]");
+        print Dumper (\@{$aliases{$key}}) if $debug;
+    }
+    $recursion_count++;
 }
 
 do_log ("INFO: ".scalar (keys (%aliases))." aliases found on $hostname");
@@ -364,7 +467,7 @@ if (-d "${run_dir}/keys.d" && -f "${run_dir}/keys") {
 if (-d "${run_dir}/keys.d") {
     do_log ("INFO: local 'keys' are stored in a DIRECTORY on $hostname");
     opendir (KEYS_DIR, "${run_dir}/keys.d")
-        or do_log ("ERROR: cannot open 'keys.d' directory [$! $hostname]") 
+        or do_log ("ERROR: cannot open 'keys.d' directory [$!/$hostname]")
         and exit (1);
     while (my $key_file = readdir (KEYS_DIR)) {
         next if ($key_file =~ /^\./);
@@ -382,7 +485,7 @@ if (-d "${run_dir}/keys.d") {
 # process 'keys' files
 foreach my $key_file (@key_files) {
     open (KEYS, "<", $key_file)
-        or do_log ("ERROR: cannot read 'keys' file [$! $hostname]") and exit (1);
+        or do_log ("ERROR: cannot read 'keys' file [$!/$hostname]") and exit (1);
     do_log ("INFO: reading public keys from file: $key_file");
     while (<KEYS>) {
 
@@ -420,7 +523,7 @@ print Dumper(\%keys) if $debug;
 do_log ("INFO: reading 'access' file ...");
 
 open (ACCESS, "<", "${run_dir}/access")
-    or do_log ("ERROR: cannot read 'access' file [$! $hostname]") and exit (1);
+    or do_log ("ERROR: cannot read 'access' file [$!/$hostname]") and exit (1);
 while (<ACCESS>) {
 
     my ($who, $where, $what, @who, @where, @what);
@@ -473,7 +576,7 @@ if ($preview && $global) {
     do_log ("INFO: display GLOBAL configuration ....");
 
     open (ACCESS, "<", "${run_dir}/access")
-        or do_log ("ERROR: cannot read 'access' file [$! $hostname]") and exit (1);
+        or do_log ("ERROR: cannot read 'access' file [$!/$hostname]") and exit (1);
     while (<ACCESS>) {
 
         my ($who, $where, $what, @who, @where, @what);
@@ -508,7 +611,8 @@ if ($preview && $global) {
 }
 
 # -----------------------------------------------------------------------------
-# distribute keys into authorized_keys files in $access_dir
+# distribute keys into authorized_keys files
+# (defined by $key_location and/or $access_dir)
 # -----------------------------------------------------------------------------
 
 do_log ("INFO: applying SSH access rules ....");
@@ -544,6 +648,18 @@ unless ($preview) {
                         $linux_version = 7;
                         last SWITCH_RELEASE;
                     };
+                    $release_string =~ m/release 8/i && do {
+                        $linux_version = 8;
+                        last SWITCH_RELEASE;
+                    };
+                    $release_string =~ m/release 9/i && do {
+                        $linux_version = 9;
+                        last SWITCH_RELEASE;
+                    };
+                    $release_string =~ m/release 10/i && do {
+                        $linux_version = 8;
+                        last SWITCH_RELEASE;
+                    };
                 }
             }
             # use fall back in case we cannot determine the version
@@ -565,17 +681,62 @@ unless ($preview) {
 
 # only add authorized_keys for existing accounts,
 # otherwise revoke access if needed
-foreach my $account (sort (@accounts)) {
+SET_KEY: foreach my $account (sort (@accounts)) {
 
-    my $access_file = "$access_dir/$account";
+    my ($access_file, $authorizedkeys_file, $uid, $gid, $home_dir, $login_shell) = (undef, undef, undef, undef, undef, undef);
+
+    # set $access_file when using SSH controls logic
+    if ($key_location eq 'use_sshd' and defined ($authorizedkeys_option)) {
+        # use sshd logic (replacing %u,%h, %%)
+        $authorizedkeys_file = $authorizedkeys_option;
+        $authorizedkeys_file =~ s/%u/$account/g;
+        $authorizedkeys_file =~ s/%h/$hostname/g;
+        $authorizedkeys_file =~ s/%%/%/g;
+        # check relative path (assume $HOME needs to be added)
+        if ($authorizedkeys_file !~ /^\//) {
+            ($uid, $gid, $home_dir, $login_shell) = (getpwnam($account))[2,3,7,8];
+            # do not accept invalid $HOME or shells
+            if (defined ($home_dir)) {
+                if (grep( /^$home_dir$/, @disallowed_homes) or grep( /^$login_shell/, @disallowed_shells)) {
+                    do_log ("DEBUG: invalid HOME or SHELL for $account [$hostname]");
+                    next SET_KEY;
+                } else {
+                    $authorizedkeys_file = $home_dir."/".$authorizedkeys_file;
+                    do_log ("DEBUG: adding $home_dir to public key path for $account [$hostname]");
+                }
+            } else {
+                do_log ("ERROR: unable to get HOME for $account [$hostname]");
+                next SET_KEY;
+            }
+        }
+        $access_file = $authorizedkeys_file;
+    } else {
+        # use native SSH controls logic
+        $access_file = "$access_dir/$account";
+    }
+    do_log ("DEBUG: public key location for $account resolves to $access_file [$hostname]");
 
     # only add authorised_keys if there are access definitions
     if ($access{$account}) {
 
         unless ($preview) {
+            # create $HOME/.ssh if needed but only when we are root            
+            if ($key_location eq 'use_sshd' and defined ($authorizedkeys_option)) {
+                if ($> == 0) {
+                    if (! -d "$home_dir/.ssh") {
+                        mkdir ("$home_dir/.ssh", 0700)
+                            or do_log "ERROR: failed to create the $home_dir/.ssh directory [$!/$hostname]"
+                            and next SET_KEY;
+                        chown ($uid, $gid, "$home_dir/.ssh")
+                            or do_log "ERROR: failed to set onwerships on the $home_dir/.ssh directory [$!/$hostname]"
+                            and next SET_KEY;
+                        do_log ("DEBUG: created directory $home_dir/.ssh for $account [$hostname]");                    
+                    }
+                }
+            }
             open (KEYFILE, "+>", $access_file)
-                or do_log ("ERROR: cannot open file for writing in $access_dir [$! $hostname]")
-                and exit (1);
+                or do_log ("ERROR: cannot open file for writing at $access_file [$!/$hostname]")
+                and next SET_KEY;
         }
         foreach my $person (sort (@{$access{$account}})) {
             my $real_name = $person;
@@ -592,9 +753,13 @@ foreach my $account (sort (@accounts)) {
         }
         close (KEYFILE) unless $preview;
 
-        # set permissions to world readable and check for SELinux context
+        # set ownerships/permissions on public key file and check for SELinux context
         unless ($preview) {
+            if ($key_location eq 'use_controls') {
                 set_file ($access_file, 0644, 0, 0);
+            } else {
+                set_file ($access_file, 0600, $uid, $gid);
+            }
             # selinux labels
             SWITCH: {
                 $os eq "Linux" && do {
@@ -611,7 +776,7 @@ foreach my $account (sort (@accounts)) {
         if (-f $access_file) {
             unless ($preview) {
                 unlink ($access_file)
-                or do_log ("ERROR: cannot remove obsolete access file(s) [$! $hostname]")
+                or do_log ("ERROR: cannot remove obsolete access file $access_file [$!/$hostname]")
                 and exit (1);
             } else {
                 do_log ("INFO: removing obsolete access $access_file on $hostname");
@@ -621,14 +786,16 @@ foreach my $account (sort (@accounts)) {
 }
 
 # -----------------------------------------------------------------------------
-# alert on/remove extraneous authorized_keys files 
+# alert on/remove extraneous authorized_keys files (SSH controls logic only)
 # (access files for which no longer a valid UNIX account exists)
 # -----------------------------------------------------------------------------
 
+if ($key_location eq 'use_controls') {
+
     do_log ("INFO: checking for extraneous access files ....");
 
     opendir (ACCESS_DIR, $access_dir)
-    or do_log ("ERROR: cannot open directory $access_dir [$! $hostname]") 
+        or do_log ("ERROR: cannot open directory $access_dir [$!/$hostname]")
     and exit (1);
     while (my $access_file = readdir (ACCESS_DIR)) {
         next if ($access_file =~ /^\./);
@@ -644,10 +811,11 @@ print Dumper (\@zombie_files) if $debug;
     # remove if requested and needed
     if ($remove && @zombie_files) {
         my $count = unlink (@zombie_files)
-        or do_log ("ERROR: cannot remove extraneous access file(s) [$! $hostname]") 
+            or do_log ("ERROR: cannot remove extraneous access file(s) [$!/$hostname]")
             and exit (1);
             do_log ("INFO: $count extraneous access files removed $hostname");
     }
+}
 
 exit (0);
 
@@ -669,6 +837,7 @@ update_ssh.pl - distributes SSH public keys in a desired state model.
 
     update_ssh.pl[-d|--debug]
                  [-h|--help]
+                 [-i|--ignore]
                  ([-p|--preview] [-g|--global]) | [-r|--remove]
                  [-v|--verbose]
                  [-V|--version]
@@ -677,9 +846,11 @@ update_ssh.pl - distributes SSH public keys in a desired state model.
 =head1 DESCRIPTION
 
 B<update_ssh.pl> distributes SSH keys to the appropriate files (.e. 'authorized_keys') into the C<$access_dir> repository based on the F<access>, F<alias> and F<keys> files.
+Alternatively B<update_ssh.pl> can distribute public keys to the location specified in the AuthorizedkeysFile setting of F<sshd_config> (allowing public keys to be distributed
+to the traditional location in a user's HOME directory). See C<key_location> setting in F<update_ssh.conf[.local]>for more information.
 This script should be run on each host where SSH key authentication is the exclusive method of (remote) authentication.
 
-For update SSH public keys must be stored in a generic F<keys> file within the same directory as B<update_ssh.pl> script. 
+Orginally SSH public keys must be stored in a generic F<keys> file within the same directory as B<update_ssh.pl> script.
 Alternatively key files may be stored as set of individual key files within a called sub-directory called F<keys.d>.
 Both methods are mutually exclusive and the latter always take precedence.
 
@@ -703,8 +874,12 @@ Following settings must be configured:
 
 =item * B<use_fqdn>       : whether to use short or FQDN host names
 
+=item * B<ignore_errors>  : whether to ignore errors during key deployment
+
 =item * B<access_dir>     : target directory for allowed SSH public key files
 
+=item * B<key_location>   : whether or not to use AuthorizedkeysFile setting in sshd_config for overriding $access_dir
+
 =item * B<blacklist_file> : location of the file with blacklisted SSH public keys
 
 =back
@@ -712,7 +887,7 @@ Following settings must be configured:
 =head1 BLACKLISTING
 
 Key blacklisting can be performed by adding a public key definition in its entirety to the blacklist keys file. When a blacklisted key is
-found in the available F<keys> file(s) during SSH control updates, an alert will be shown on STDOUT and the key will be ignored for the rest.
+found in the available F<keys> file(s) during SSH controls updates, an alert will be shown on STDOUT and the key will be ignored for the rest.
 
 Examples:
 
@@ -731,11 +906,15 @@ S<       >Be I<very> verbose during execution; show array/hash dumps.
 
 S<       >Show the help page.
 
+=item -i | --ignore
+
+S<       >Ignore errors during key deployment.
+
 =item -p | --preview
 
 S<       >Do not actually distribute any SSH public keys, nor update/remove any 'authorized_keys' files.
 
-=item -p | --global
+=item -g | --global
 
 S<       >Must be used in conjunction with the --preview option. This will dump the global namespace/configuration to STDOUT.
 
@@ -765,12 +944,4 @@ S<       >Show version of the script.
 
 =head1 AUTHOR
 
-(c) KUDOS BVBA, Patrick Van der Veken
-
-=head1 history
-
-@(#) 2014-12-04: VRF 1.0.0: first version [Patrick Van der Veken]
-@(#) 2014-12-16: VRF 1.0.1: added SELinux context, new config option 'selinux_context' [Patrick Van der Veken]
-@(#) 2015-08-08: VRF 1.0.2: small fix for 'cut' command [Patrick Van der Veken]
-@(#) 2015-08-15: VRF 1.1.0: replace uname/hostname syscalls, now support for FQDN via $use_fqdn, other fixes [Patrick Van der Veken]
-@(#) 2015-08-26: VRF 1.2.0: replace read of /etc/passwd by pwgetent() call, small and not so small fixes [Patrick Van der Veken]
+(c) KUDOS BV, Patrick Van der Veken