Feature Request: Plugin Model for authorizing public keys

Mark Cavage mark.cavage at joyent.com
Wed Feb 9 12:45:04 EST 2011 

I'm not sure I follow - this is an sshd proposal (i.e., I mainly
hacked up sshd/auth2-pubkey.c) so that the target host doesn't need a
~/.ssh/authorized_keys file.

On Tue, Feb 8, 2011 at 5:33 PM, Dan Kaminsky <dan at doxpara.com> wrote:
> This would be a more elegant mechanism for adding DNSSEC support than
> my present patch.  For synchrony though, perhaps this should be a
> ProxyCommand style executable?
>
> On Tue, Feb 8, 2011 at 4:03 PM, Mark Cavage <mark.cavage at joyent.com> wrote:
>> I would like to implement a feature whereby users can write their own
>> plugins for authorizing use of a public key.  I've got a private
>> branch of this working, but would like feedback before submitting a
>> patch (starting with whether the community would want this).
>> Essentially, I've added a line in sshd_config like:
>>
>> PubKeyPlugin ~/local/dev/plugin/libsshplugin.so
>>
>> Which dlopen's said plugin and looks for a function that checks access
>> for RSA public keys (function defined below). It would not be a
>> stretch to add DSA et al., but I didn't want to bother unless this
>> gets blessed. The function gets invoked in auth2-pubkey only if the
>> authorized_keys file checks failed.
>>
>> I did this as the only other functionality like this I saw were things
>> like the LPK/Fed-SSH patches that assume one is running LDAP; this
>> mechanism allows a user to run whatever arbitrary things they want to
>> determine what keys map to what users (or by group, etc.).
>>
>> Thank you!
>>
>> /**
>>  * NAME:
>>  *     int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd,
>> const char *fingerprint)
>>  *
>>  * DESCRIPTION:
>>  *     Determines whether or not the specified key is allowed to
>> authenticate as the user in pwd
>>  *
>>  * INPUTS:
>>  *      RSA * rsa                      The RSA public key used by the
>> remote party (signature check has already passed)
>>  *      struct passwd * pwd       The user record the remote party is
>> attempting to login as
>>  *      const char * fingerprint    MD5 fingerprint of the RSA public
>> key (for convenience)
>>  *
>>  * OUTPUTS:
>>  *     [0]    Not Allowed
>>  *     [1]    Allowed
>>  *
>>  * NOTES:
>>  *     Developers are expected to link against OpenSSL, and
>> include<openssl/rsa.h>.
>>  *     There is no dependency on OpenSSH.
>>  */
>> int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd, const char
>> *fingerprint);
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>

More information about the openssh-unix-dev mailing list