[Bug 2081] extend the parameters to the AuthorizedKeysCommand
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Sep 23 21:32:27 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2081
Sami Hartikainen <hasa100 at hotmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2478|0 |1
is obsolete| |
--- Comment #23 from Sami Hartikainen <hasa100 at hotmail.com> ---
Created attachment 2479
--> https://bugzilla.mindrot.org/attachment.cgi?id=2479&action=edit
Reworked patch enabling optional %-expanded arguments
Revised based on feedback, e.g. %h expansion added.
> 2. still open issue is if we need to skip calling the
> utility if no public key, I leave this to openssh
> developers to decide, I think we should execute with
> empty value.
I would like to hear comments from other people on this as
well. But consider an AuthorizedKeysCommand of:
/usr/local/sbin/myauth --user %u --key %k non-option-arg
If %k is missing (due to sshkey_to_base64() failing),
the 'non-option-arg' will be read as the option value for
--key, possibly breaking the 'myauth' utility.
> 4. I do think that regardless we allow variable # of parameters
> we can have sane limit and avoid dynamic memory management...
Disagree on this, different limits on different places are a source
of hard-to-track bugs.
> 6. not sure the sshkey_to_base64 is first requirement to perform
> that conversion... maybe something should be shared with ssh-keygen.
sshkey_write() is almost the same, so perhaps the 'guts' of it could
be refactored to be usable for this.
--
Sami
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list