Extracting client certificate information

[Damien Miller]

On Sun, 18 Aug 2013, John Keeping wrote:

> When using client certificate authentication, is there any way to
> extract the key ID from the certificate in a force command on the
> server?
> 
> I would like to be able to configure Gitolite [1] with a certificate
> authority key and then use the key ID as the Gitolite user ID when a
> client connects.  Currently I can achieve the same effect by embedding
> the username in a "force-command" certificate extension, but it seems
> like it would be simpler if I could just configure the command once on
> the server and use the key ID in it.
> 
> Am I missing some way of doing this, or is that a feature that you would
> consider supporting?

Not at present. I had plans to implement a SSH_AUTH_KEY (patches even!)
that would expose the key used for authentication to the sessions started
after it but they were derailed by the multiple-authentication support
we added recently. The problem is that there now might be more than one
key used for authentication so I have to redesign them to support these
cases.

The intent is that you could do something like:

echo $SSH_AUTH_KEY | ssh-keygen -Lf - | grep ^"Key ID:"

but obviously that doesn't work right now.

Doing post-authentication authorisation like this can be risky though: you
have to ensure that users cannot set the SSH_AUTH_KEY environment variable
themselves otherwise they could impersonate anyone :/

If you are interested in this then there is a bug open for it, but I can't
find it right now - it must have had a confusing title. The only slightly-
tricky part in implementing it is to ensure that the the key used for authn
gets recorded in the privsep monitor rather than just the child process.

-d