AW: AuthorizedKeysCommand support added

Fiedler Roman Roman.Fiedler at ait.ac.at
Wed Oct 31 19:58:26 EST 2012


Hi,

Just curious:

> ...
> The program is executed (directly, not via the shell) with a single
> argument of the user being logged in. It produces on stdout zero or more
> lines in authorized_keys format. The program must terminate normally and
> with a zero exit status or its output is disregarded.
> 
> The program is executed as the user being logged in, unless a different
> user is specified using AuthorizedKeysCommandUser.

Does this allow:

* Login as user x
* Fork a daemon process to stay alive after logout
* Logout
* Login again
* Let the daemon process running as x attach to the key-fetch-script running as x, take over fds, ..
* Let key-fetch-script return something nice

This would of course only work, if e.g. ptrace-attach to non-children with same UID is allowed, which is OK on older kernels/distros, new ones should block that.

Roman


More information about the openssh-unix-dev mailing list