AuthorizedKeysCommand [was: Re: Feature Request: Plugin Model for authorizing public keys]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Feb 9 15:57:08 EST 2011
On 02/08/2011 09:43 PM, Dan Kaminsky wrote:
> I'm saying that most other extensions to OpenSSH are executables, not
> in-proc libraries.
There is an outstanding bug report addressing this issue, with a patch
providing AuthorizedKeysCommand functionality:
https://bugzilla.mindrot.org/show_bug.cgi?id=1663
It sounds like this is already adopted by Fedora and RedHat downstream.
The semantics are slightly different than those proposed by Mark Cavage,
though:
* AuthorizedKeysCommand, invoked with a single argument (the username)
produces output identical to (and interpreted as) a standard
AuthorizedKeysFile.
* if the offered key is *not* found in the output of
AuthorizedKeysCommand, then AuthorizedKeysFile continues as usual.
This lets an AuthorizedKeysCommand implementor provide options like
no-pty, etc. However, it also requires that such an implementation
exhaustively enumerate all acceptable keys.
i suspect an argument could be made for a different resolution to this
feature request: have AuthorizedKeysCommand accept the offered key on
stdin, write any restricting options to stdout, and have the return code
of the process indicate acceptance or not. Such an argument would be
more convincing with some code to back it up, of course ;)
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110208/a8be2f98/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list