AuthorizedKeysCommand support added

Damien Miller djm at
Thu Nov 1 02:55:57 EST 2012

On Wed, 31 Oct 2012, Alex Bligh wrote:

> On 31 Oct 2012, at 08:01, Damien Miller wrote:
> >> 
> >> Or have you by this time checked the username is in some way sane?
> > 
> > It is only invoked if the user actually has an account on the host, so
> > there is no risk of bad usernames percolating through to the helper.
> My concern was partly the LDAP case where (at least with the ldap patches)
> it lets you if there is an account on the LDAP server. I'm not sure whether
> there is some form of escalation opportunity here. I think with the
> Match group thing, perhaps not. Can we guarantee that the username is
> a string for which getpwnam returns an entry?


> If so, perhaps this isn't
> a problem, as if admins permit users with | `` < > $ {} etc in, then they
> deserve all they get if they don't write safe scripts. It would be useful
> to document that the script can rely on the fact that $1 is a username
> for which getpwnam returned something sometime in the recent past.

I'd rather leave them paranoid if it encourages proper care :)


More information about the openssh-unix-dev mailing list