OpenSSH modify location of user's specific files to comply with XDG specification

Question

Is it possible to modify the default location of the user's specific files of OpenSSH (~/.ssh)?

I've found the XDG base directory specification and I was wondering if it was possible to make OpenSSH compliant with it?

Answer 1

It's not possible.

This was evoked in Bug 2050: Support XDG basedir specification, whose status is "CLOSED WONTFIX". Following demands by users were no longer answered after the following final answer from 2012:

OpenSSH (and it's ancestor ssh-1.x) have a 17 year history of using ~/.ssh. This location is baked into innumerable users' brains, millions of happily working configurations and countless tools.

Changing the location of our configuration would require a very strong justification and following a trend of desktop applications (of which OpenSSH is not) is not sufficient.

Arch Linux adds one more reason for this in its status report XDG Base Directory:

Assumed to be present by many ssh daemons and clients such as DropBear and OpenSSH.

Answer 2

Theoretically you could, as OpenSSH gives you a few options to specify alternate paths for some (and possibly all) of the usual files in ~/.ssh.

But be aware that this is very unconventional, will have a different approach for each file, and might require superuser privileges to change settings for both ssh client and the server. It certainly won't be convenient, and it may have a number of corner cases where it fails.

That said, let's try this as a fun exercise:

• Assuming export SSH_HOME=${XDG_CONFIG_HOME:-$HOME/.config}/ssh
• ~/.ssh/config: can be changed via command line ssh -F "$SSH_HOME"/config
• ~/.ssh/id_{ed25519,rsa}{,.pub}: also command line ssh -i "$SSH_HOME"/id_ed25519 (or -o IdentityFile="$SSH_HOME"/id_ed25519). Can be specified multiple times to try different keys.
• ~/.ssh/known_hosts: ssh -o UserKnownHostsFile="$SSH_HOME"/known_hosts
• ~/.ssh/authorized_keys: this requires aid from sshd (the server), drop a xxx.conf file in /etc/ssh/sshd_config.d/xxx.conf containing AuthorizedKeysFile ~/.config/ssh/authorized_keys, either as a global statement or in a per-user Match user xxx block. In any case you'd have to hard-code ~/.config/ssh as it can't expand XDG_CONFIG_HOME.

For UserKnownHostsFile and IdentityFile, you could also alternatively set them in your "$SSH_HOME"/config, or drop a config override file in /etc/ssh/ssh_config.d/xxx.conf containing the option(s), but the same restriction on hard-coding ~/.config/ssh applies.

Summing it up:

sudo tee /etc/ssh/sshd_config.d/00-xdg.conf <<< 'AuthorizedKeysFile ~/.config/ssh/authorized_keys'
export SSH_HOME=${XDG_CONFIG_HOME:-$HOME/.config}/ssh
alias ssh='ssh -F "$SSH_HOME"/config -i "$SSH_HOME"/id_ed25519 -o UserKnownHostsFile="$SSH_HOME"/known_hosts'

Not for the faint of heart... and not recommended either.

But hey, it can be done! ;-)