Extracting client certificate information
Damien Miller
djm at mindrot.org
Tue Aug 20 08:47:23 EST 2013
On Sun, 18 Aug 2013, John Keeping wrote:
> When using client certificate authentication, is there any way to
> extract the key ID from the certificate in a force command on the
> server?
>
> I would like to be able to configure Gitolite [1] with a certificate
> authority key and then use the key ID as the Gitolite user ID when a
> client connects. Currently I can achieve the same effect by embedding
> the username in a "force-command" certificate extension, but it seems
> like it would be simpler if I could just configure the command once on
> the server and use the key ID in it.
>
> Am I missing some way of doing this, or is that a feature that you would
> consider supporting?
Not at present. I had plans to implement a SSH_AUTH_KEY (patches even!)
that would expose the key used for authentication to the sessions started
after it but they were derailed by the multiple-authentication support
we added recently. The problem is that there now might be more than one
key used for authentication so I have to redesign them to support these
cases.
The intent is that you could do something like:
echo $SSH_AUTH_KEY | ssh-keygen -Lf - | grep ^"Key ID:"
but obviously that doesn't work right now.
Doing post-authentication authorisation like this can be risky though: you
have to ensure that users cannot set the SSH_AUTH_KEY environment variable
themselves otherwise they could impersonate anyone :/
If you are interested in this then there is a bug open for it, but I can't
find it right now - it must have had a confusing title. The only slightly-
tricky part in implementing it is to ensure that the the key used for authn
gets recorded in the privsep monitor rather than just the child process.
-d
More information about the openssh-unix-dev
mailing list