[openssh-commits] [openssh] 01/02: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Sep 21 11:44:04 AEST 2016


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit bfa9d969ab6235d4938ce069d4db7e5825c56a19
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 21 01:34:45 2016 +0000

    upstream commit
    
    add a way for principals command to get see key ID and serial
    too
    
    Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
---
 auth2-pubkey.c |  6 +++++-
 sshd_config.5  | 18 ++++++++++--------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index a08354c..cc54666 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.57 2016/09/14 20:11:26 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.58 2016/09/21 01:34:45 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -639,6 +639,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
 	pid_t pid;
 	char *tmp, *username = NULL, *command = NULL, **av = NULL;
 	char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL;
+	char serial_s[16];
 	void (*osigchld)(int);
 
 	if (options.authorized_principals_command == NULL)
@@ -694,6 +695,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
 		error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
 		goto out;
 	}
+	snprintf(serial_s, sizeof(serial_s), "%llu", cert->serial);
 	for (i = 1; i < ac; i++) {
 		tmp = percent_expand(av[i],
 		    "u", user_pw->pw_name,
@@ -704,6 +706,8 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
 		    "F", ca_fp,
 		    "k", keytext,
 		    "K", catext,
+		    "i", cert->key_id,
+		    "s", serial_s,
 		    (char *)NULL);
 		if (tmp == NULL)
 			fatal("%s: percent_expand failed", __func__);
diff --git a/sshd_config.5 b/sshd_config.5
index 9e96acf..dd94b48 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.232 2016/09/14 05:42:25 djm Exp $
-.Dd $Mdocdate: September 14 2016 $
+.\" $OpenBSD: sshd_config.5,v 1.233 2016/09/21 01:34:45 djm Exp $
+.Dd $Mdocdate: September 21 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -306,14 +306,16 @@ Arguments to
 may be provided using the following tokens, which will be expanded
 at runtime:
 %% is replaced by a literal '%',
-%u is replaced by the username being authenticated,
-%h is replaced by the home directory of the user being authenticated,
-%t is replaced with type of the certificate being offered,
-%T with the type of the CA key,
-%f is replaced with certificate fingerprint,
 %F with the fingerprint of the CA key,
-%k is replaced with the full base-64 encoded certificate and
+%f is replaced with certificate fingerprint,
 %K is replaced with the base-64 encoded CA key.
+%k is replaced with the full base-64 encoded certificate,
+%h is replaced with the home directory of the user being authenticated,
+%i is replaced with key ID in the certificate,
+%s is replaced with the serial number of the certificate,
+%T with the type of the CA key,
+%t is replaced with type of the certificate being offered, and
+%u is replaced by the username being authenticated,
 If no arguments are specified then the username of the target user
 will be supplied.
 .Pp

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list