[Bug 2081] extend the parameters to the AuthorizedKeysCommand

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2081

Florian Zimmermann <flo at chaos-wg.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |flo at chaos-wg.net
            Version|6.2p1                       |6.5p1

--- Comment #3 from Florian Zimmermann <flo at chaos-wg.net> ---
Hey,

I like the idea of providing some more input to the
AuthorizedKeysCommand since it seems extremely useful in the Github
case, i.e. one git user and tons of public keys that one has to scan
through if the AuthorizedKeysCommand blindly dumps all public keys for
the git user.

I looked a bit further into the suggestion of including the fingerprint
into the arguments for the AuthorizedKeysCommand
(http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-June/031457.html)
and (hopefully) fixed the memory leak that would have been introduced
by the suggested patch.

This patch passes two additional arguments to the AuthorizedKeysCommand
(the first argument -- the user being authenticated -- remains):

- the type of the key used for authentication.
  This is one of the strings defined in the keytypes array in key.c,
e.g. "ssh-rsa", "ssh-dss" or "ssh-unknown"

- the MD5 fingerprint (hex formatted) of the key used for
authentication.

I tested this on a virtual machine running Debian Wheezy and it seemed
to work pretty well...


I'm not sure whether passing the entire key that is used for
authentication to the AuthorizedKeysCommand is in any way better or
worse than just using the key type and fingerprint
(http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-January/030967.html).
It seemed like a lot more work though ;)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.