[Bug 983] Required authentication
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Sep 17 21:39:50 EST 2011
https://bugzilla.mindrot.org/show_bug.cgi?id=983
--- Comment #43 from David Woodhouse <dwmw2 at infradead.org> 2011-09-17 21:39:50 EST ---
My use case for this is to run a PAM stack *after* pubkey
authentication, and one environment in which I want to do that is for
something like gitolite — where multiple people each have their own SSH
key installed, but there is only one local user. We want to use keys
*and* a one-time password.
It would be really useful if the PAM stack could know *which* SSH key
was used to authenticate. Then we can have an OTP setup for each human
being rather than just having a single shared one.
This kind of thing should probably do it. This makes the two-step
authentication much more useful for us.
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 137887e..68f1a6a 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -350,6 +350,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
verbose("Accepted certificate ID \"%s\" "
"signed by %s CA %s via %s", key->cert->key_id,
key_type(found), fp, file);
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_putenv("SSH_PUBKEY_TYPE", "X509");
+ do_pam_putenv("SSH_PUBKEY", key->cert->key_id);
+ }
+#endif
xfree(fp);
found_key = 1;
break;
@@ -365,6 +371,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(found), fp);
+#ifdef USE_PAM
+ if (options.use_pam) {
+ do_pam_putenv("SSH_PUBKEY_TYPE", key_type(found));
+ do_pam_putenv("SSH_PUBKEY", fp);
+ }
+#endif
xfree(fp);
break;
}
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.
More information about the openssh-bugs
mailing list