Feature Request: Plugin Model for authorizing public keys
Mark Cavage
mark.cavage at joyent.com
Wed Feb 9 10:19:52 EST 2011
I would like to implement a feature whereby users can write their own
plugins for authorizing use of a public key. I've got a private branch of
this working, but would like feedback before submitting a patch (starting
with whether the community would want this). Essentially, I've added a line
in sshd_config like:
PubKeyPlugin ~/local/dev/plugin/libsshplugin.so/dylib/.<http://libsshplugin.so/dylib/>
..
Which dlopen's said plugin and looks for a function that checks access for
RSA public keys (function defined below). It would not be a stretch to add
DSA et al., but I didn't want to bother unless this gets blessed. The
function gets invoked in auth2-pubkey only if the authorized_keys file
checks failed.
I did this as the only other functionality like this I saw were things like
the LPK/Fed-SSH patches that assume one is running LDAP; this mechanism
allows a user to run whatever arbitrary things they want to determine what
keys map to what users (or by group, etc.).
Thank you!
/**
* NAME:
* int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd, const
char *fingerprint)
*
* DESCRIPTION:
* Determines whether or not the specified key is allowed to
authenticate as the user in pwd
*
* INPUTS:
* RSA * rsa The RSA public key used by the remote
party (signature check has already passed)
* struct passwd * pwd The user record the remote party is
attempting to login as
* const char * fingerprint MD5 fingerprint of the RSA public key
(for convenience)
*
* OUTPUTS:
* [0] Not Allowed
* [1] Allowed
*
* NOTES:
* Developers are expected to link against OpenSSL, and
include<openssl/rsa.h>. There is no dependency on OpenSSH.
*/
int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd, const char
*fingerprint);
More information about the openssh-unix-dev
mailing list