Connection info with AuthorizedKeysCommand

Damien Miller djm at mindrot.org
Wed Nov 21 10:50:56 EST 2012


On Tue, 20 Nov 2012, Anthony R Fletcher wrote:

> I see that support for AuthorizedKeysCommand has been added. The
> arguments supplied to the command is just the authenticating user. Can
> we add the SSH connection details (ie. source and destination IPs and
> ports) as well?
> 
> This command seems to be the idea way of requiring one set of
> credentials from inside an organisation (say the user's own
> authorized_keys file) and another set from outside (say 2 factor smart
> card keys).
> 
> To do this the command needs to know where the connection is coming
> from. I can see a similar reason for knowing the destination IP or port.

An AuthorizedKeysCommand can emit lines with from="" phrases to
achieve the same effect. Anything that works in authorized_keys works
in the output of AuthorizedKeysCommand.

> We could use a cumbersome Match statement, but why not make all the
> information available to the AuthorizedKeysCommand command?

AuthorizedKeysCommand should be as simple as possible, I don't want to
burden it with lots of options, especially when the authorized_keys format
is quite powerful as it is.

-d


More information about the openssh-unix-dev mailing list