Let's say that there are just two possible paths for an authorized_keys file (P1 and P2).
The choices are:
1. Check P1, if it doesn't exist use P2
2. Check P2, if it doesn't exist use P1
3. Merge the contents of P1 and P2 somehow
You need to remove authorization for a key (or certificate); you confirm it has been removed from P1. In both cases #2 and #3 above, you may have failed to actually remove authorization!
Obviously if there are more than 2 possible paths, things get even worse. Also, if you follow XDG to the letter (where things can be redirected by environment variables), there are even more confounding issues, because the environment that sshd sees could be different from the environment that the user sees.
Let's say that there are just two possible paths for an authorized_keys file (P1 and P2).
The choices are:
1. Check P1, if it doesn't exist use P2
2. Check P2, if it doesn't exist use P1
3. Merge the contents of P1 and P2 somehow
You need to remove authorization for a key (or certificate); you confirm it has been removed from P1. In both cases #2 and #3 above, you may have failed to actually remove authorization!
Obviously if there are more than 2 possible paths, things get even worse. Also, if you follow XDG to the letter (where things can be redirected by environment variables), there are even more confounding issues, because the environment that sshd sees could be different from the environment that the user sees.