Feature Request: Plugin Model for authorizing public keys
Dan Kaminsky
dan at doxpara.com
Wed Feb 9 13:43:25 EST 2011
I'm saying that most other extensions to OpenSSH are executables, not
in-proc libraries.
On Tue, Feb 8, 2011 at 5:45 PM, Mark Cavage <mark.cavage at joyent.com> wrote:
> I'm not sure I follow - this is an sshd proposal (i.e., I mainly
> hacked up sshd/auth2-pubkey.c) so that the target host doesn't need a
> ~/.ssh/authorized_keys file.
>
> On Tue, Feb 8, 2011 at 5:33 PM, Dan Kaminsky <dan at doxpara.com> wrote:
>> This would be a more elegant mechanism for adding DNSSEC support than
>> my present patch. For synchrony though, perhaps this should be a
>> ProxyCommand style executable?
>>
>> On Tue, Feb 8, 2011 at 4:03 PM, Mark Cavage <mark.cavage at joyent.com> wrote:
>>> I would like to implement a feature whereby users can write their own
>>> plugins for authorizing use of a public key. I've got a private
>>> branch of this working, but would like feedback before submitting a
>>> patch (starting with whether the community would want this).
>>> Essentially, I've added a line in sshd_config like:
>>>
>>> PubKeyPlugin ~/local/dev/plugin/libsshplugin.so
>>>
>>> Which dlopen's said plugin and looks for a function that checks access
>>> for RSA public keys (function defined below). It would not be a
>>> stretch to add DSA et al., but I didn't want to bother unless this
>>> gets blessed. The function gets invoked in auth2-pubkey only if the
>>> authorized_keys file checks failed.
>>>
>>> I did this as the only other functionality like this I saw were things
>>> like the LPK/Fed-SSH patches that assume one is running LDAP; this
>>> mechanism allows a user to run whatever arbitrary things they want to
>>> determine what keys map to what users (or by group, etc.).
>>>
>>> Thank you!
>>>
>>> /**
>>> * NAME:
>>> * int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd,
>>> const char *fingerprint)
>>> *
>>> * DESCRIPTION:
>>> * Determines whether or not the specified key is allowed to
>>> authenticate as the user in pwd
>>> *
>>> * INPUTS:
>>> * RSA * rsa The RSA public key used by the
>>> remote party (signature check has already passed)
>>> * struct passwd * pwd The user record the remote party is
>>> attempting to login as
>>> * const char * fingerprint MD5 fingerprint of the RSA public
>>> key (for convenience)
>>> *
>>> * OUTPUTS:
>>> * [0] Not Allowed
>>> * [1] Allowed
>>> *
>>> * NOTES:
>>> * Developers are expected to link against OpenSSL, and
>>> include<openssl/rsa.h>.
>>> * There is no dependency on OpenSSH.
>>> */
>>> int sshd_user_rsa_key_allowed(RSA *rsa, struct passwd *pwd, const char
>>> *fingerprint);
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>
>
More information about the openssh-unix-dev
mailing list