Handing connection depending on the client computer public key fingerprint

Damien Miller djm at mindrot.org
Tue Oct 25 09:55:49 EST 2011

On Fri, 21 Oct 2011, Mike Spinzer wrote:

> Hello,
> I try to find a way to handle SSH connections differently depending
> if it comes from a 'trusted" computer or from an unknown computer
> (for instance giving access to a shell versus allowing only scp/sftp
> in a chrooted environment). Using the IP address is not a solution
> since a trusted computer can be a laptop that is connected somewhere
> on Internet. One solution could be to use the client public key
> fingerprint; the server would then keep a white list of public key
> fingerprints that represent the trusted computers.
> However I can't find a way to implement this. I tried with the Match
> directive, but this one doesn't take such parameter I tried too with
> a ForceCommand, but fount no way to configure sshd to transmit the
> public key fingerprint to the script.

This seems like a reasonable feature request. Perhaps we could expose
the key or its fingerprint in a SSH_AUTH_KEY environment variable.

The only complexity is in transmitting the key from the pre-auth
privsep child up to the monitor process so it is available in the
session code later.


More information about the openssh-unix-dev mailing list