AuthorizedKeysCommand support added
Damien Miller
djm at mindrot.org
Thu Nov 1 03:00:03 EST 2012
On Wed, 31 Oct 2012, Philipp Marek wrote:
> > > Furthermore, how about setting alarm(60) or some similar timeout, and
> > > perhaps a CPU limit in the child handler, so that it doesn't run
> > > forever?
> >
> > The helper is subject to the global login grace timeout (sshd_config
> > LoginGraceTime).
> But I see no code that would kill the process then - only the authentication
> would fail, right?
search for killpg in sshd.c
> > > TBH, I can see the point that having a simple shell script inbetween -
> > > that can do all of this, too.
> >
> > No - the shell environment is too complicated for something that can
> > be triggered before authentication.
> Sorry for being unclear, I meant setting CPU (and other) ulimits, STDERR
> redirection and so on - these things can be done by a shell script.
> (Even syslog, by using logger(1).)
Why not build them into the helper directly? It isn't someting that will be
need to be written more than once per backend directory.
-d
More information about the openssh-unix-dev
mailing list