[Bug 2081] extend the parameters to the AuthorizedKeysCommand

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 23 21:32:27 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2081

Sami Hartikainen <hasa100 at hotmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2478|0                           |1
        is obsolete|                            |

--- Comment #23 from Sami Hartikainen <hasa100 at hotmail.com> ---
Created attachment 2479
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2479&action=edit
Reworked patch enabling optional %-expanded arguments

Revised based on feedback, e.g. %h expansion added.

> 2. still open issue is if we need to skip calling the
> utility if no public key, I leave this to openssh
> developers to decide, I think we should execute with
> empty value.

I would like to hear comments from other people on this as
well. But consider an AuthorizedKeysCommand of:

    /usr/local/sbin/myauth --user %u --key %k non-option-arg

If %k is missing (due to sshkey_to_base64() failing),
the 'non-option-arg' will be read as the option value for
--key, possibly breaking the 'myauth' utility.

> 4. I do think that regardless we allow variable # of parameters
> we can have sane limit and avoid dynamic memory management...

Disagree on this, different limits on different places are a source
of hard-to-track bugs.

> 6. not sure the sshkey_to_base64 is first requirement to perform
> that conversion... maybe something should be shared with ssh-keygen.

sshkey_write() is almost the same, so perhaps the 'guts' of it could
be refactored to be usable for this.

--
Sami

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list