Feature Request: Plugin Model for authorizing public keys

Dan Kaminsky dan at doxpara.com
Wed Feb 9 12:33:43 EST 2011 

This would be a more elegant mechanism for adding DNSSEC support than
my present patch.  For synchrony though, perhaps this should be a
ProxyCommand style executable?

On Tue, Feb 8, 2011 at 4:03 PM, Mark Cavage <mark.cavage at joyent.com> wrote:
> I would like to implement a feature whereby users can write their own
> plugins for authorizing use of a public key.  I've got a private
> branch of this working, but would like feedback before submitting a
> patch (starting with whether the community would want this).
> Essentially, I've added a line in sshd_config like:
>
> PubKeyPlugin ~/local/dev/plugin/libsshplugin.so
>
> Which dlopen's said plugin and looks for a function that checks access
> for RSA public keys (function defined below). It would not be a
> stretch to add DSA et al., but I didn't want to bother unless this
> gets blessed. The function gets invoked in auth2-pubkey only if the
> authorized_keys file checks failed.
>
> I did this as the only other functionality like this I saw were things
> like the LPK/Fed-SSH patches that assume one is running LDAP; this
> mechanism allows a user to run whatever arbitrary things they want to
> determine what keys map to what users (or by group, etc.).
>
> Thank you!
>
> /**
>  * NAME:
>  *     int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd,
> const char *fingerprint)
>  *
>  * DESCRIPTION:
>  *     Determines whether or not the specified key is allowed to
> authenticate as the user in pwd
>  *
>  * INPUTS:
>  *      RSA * rsa                      The RSA public key used by the
> remote party (signature check has already passed)
>  *      struct passwd * pwd       The user record the remote party is
> attempting to login as
>  *      const char * fingerprint    MD5 fingerprint of the RSA public
> key (for convenience)
>  *
>  * OUTPUTS:
>  *     [0]    Not Allowed
>  *     [1]    Allowed
>  *
>  * NOTES:
>  *     Developers are expected to link against OpenSSL, and
> include<openssl/rsa.h>.
>  *     There is no dependency on OpenSSH.
>  */
> int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd, const char
> *fingerprint);
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list