Extracting client certificate information

Damien Miller djm at mindrot.org
Tue Aug 20 08:47:23 EST 2013

On Sun, 18 Aug 2013, John Keeping wrote:

> When using client certificate authentication, is there any way to
> extract the key ID from the certificate in a force command on the
> server?
> I would like to be able to configure Gitolite [1] with a certificate
> authority key and then use the key ID as the Gitolite user ID when a
> client connects.  Currently I can achieve the same effect by embedding
> the username in a "force-command" certificate extension, but it seems
> like it would be simpler if I could just configure the command once on
> the server and use the key ID in it.
> Am I missing some way of doing this, or is that a feature that you would
> consider supporting?

Not at present. I had plans to implement a SSH_AUTH_KEY (patches even!)
that would expose the key used for authentication to the sessions started
after it but they were derailed by the multiple-authentication support
we added recently. The problem is that there now might be more than one
key used for authentication so I have to redesign them to support these

The intent is that you could do something like:

echo $SSH_AUTH_KEY | ssh-keygen -Lf - | grep ^"Key ID:"

but obviously that doesn't work right now.

Doing post-authentication authorisation like this can be risky though: you
have to ensure that users cannot set the SSH_AUTH_KEY environment variable
themselves otherwise they could impersonate anyone :/

If you are interested in this then there is a bug open for it, but I can't
find it right now - it must have had a confusing title. The only slightly-
tricky part in implementing it is to ensure that the the key used for authn
gets recorded in the privsep monitor rather than just the child process.


More information about the openssh-unix-dev mailing list