Feature Request: Plugin Model for authorizing public keys

Mark Cavage mark.cavage at joyent.com
Wed Feb 9 11:03:26 EST 2011

I would like to implement a feature whereby users can write their own
plugins for authorizing use of a public key.  I've got a private
branch of this working, but would like feedback before submitting a
patch (starting with whether the community would want this).
Essentially, I've added a line in sshd_config like:

PubKeyPlugin ~/local/dev/plugin/libsshplugin.so

Which dlopen's said plugin and looks for a function that checks access
for RSA public keys (function defined below). It would not be a
stretch to add DSA et al., but I didn't want to bother unless this
gets blessed. The function gets invoked in auth2-pubkey only if the
authorized_keys file checks failed.

I did this as the only other functionality like this I saw were things
like the LPK/Fed-SSH patches that assume one is running LDAP; this
mechanism allows a user to run whatever arbitrary things they want to
determine what keys map to what users (or by group, etc.).

Thank you!

 * NAME:
 *     int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd,
const char *fingerprint)
 *     Determines whether or not the specified key is allowed to
authenticate as the user in pwd
 *      RSA * rsa                      The RSA public key used by the
remote party (signature check has already passed)
 *      struct passwd * pwd       The user record the remote party is
attempting to login as
 *      const char * fingerprint    MD5 fingerprint of the RSA public
key (for convenience)
 *     [0]    Not Allowed
 *     [1]    Allowed
 *     Developers are expected to link against OpenSSL, and
 *     There is no dependency on OpenSSH.
int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd, const char

More information about the openssh-unix-dev mailing list