Connection info with AuthorizedKeysCommand
Damien Miller
djm at mindrot.org
Wed Nov 21 10:50:56 EST 2012
On Tue, 20 Nov 2012, Anthony R Fletcher wrote:
> I see that support for AuthorizedKeysCommand has been added. The
> arguments supplied to the command is just the authenticating user. Can
> we add the SSH connection details (ie. source and destination IPs and
> ports) as well?
>
> This command seems to be the idea way of requiring one set of
> credentials from inside an organisation (say the user's own
> authorized_keys file) and another set from outside (say 2 factor smart
> card keys).
>
> To do this the command needs to know where the connection is coming
> from. I can see a similar reason for knowing the destination IP or port.
An AuthorizedKeysCommand can emit lines with from="" phrases to
achieve the same effect. Anything that works in authorized_keys works
in the output of AuthorizedKeysCommand.
> We could use a cumbersome Match statement, but why not make all the
> information available to the AuthorizedKeysCommand command?
AuthorizedKeysCommand should be as simple as possible, I don't want to
burden it with lots of options, especially when the authorized_keys format
is quite powerful as it is.
-d
More information about the openssh-unix-dev
mailing list