AuthorizedKeysCommand

[Shogun]

14.01.13 18:22, Daniel Kahn Gillmor пишет:
 > On 01/14/2013 10:36 AM, Katsumoto san wrote:
 >> We could set AuthorizedKeysCommand script, this will allow only to 
replace
 >> authorized_keys file with keys stored in a database... But why this 
command
 >> is so limited?
 >>
 >> Why i can't just set a command script which will get a username and 
public
 >> key as arguments and let him do it's own authorization??
 > It sounds to me like you're proposing a different interface than the
 > current AuthorizedKeysCommand -- the current interface maps quite
 > cleanly to the AuthorizedKeysFile, and can be processed in a similar way
 > by ssh (it's just reading the list of authorized keys from a different
 > kind of file descriptor).
Yes, like i've said AuthorizedKeysCommand now is almost like a 
simulation of AuthorizedKeysFile.
 > What you're proposing sounds rather different (but i agree it could be
 > useful).  It's more of a KeyAuthorizationCommand (since it takes a
 > single key and decides whether it is authorized) than an
 > AuthorizedKeysCommand.
Yes is not what now AuthorizedKeysCommand does, this could be named 
different (not so important), i've just expected from this command to 
work so.
 >
 > But note that an ssh client can offer several keys to the ssh server [0]
 > to see which ones might be acceptable.  So the command you describe
 > might need to be invoked several times per attempted connection.
 >
 > Maybe you could propose a concrete specification for what you want?  How
 > would the public key and user account be structured as arguments to the
 > command?
 >
I'm not sure if client send all this keys at once or not, but if so will 
be good i think to run script one time and get all the keys as "array", 
also the script should get the username.
Now command script could access $SSH_ORIGINAL_COMMAND from env so this 
data may also set there, or maybe pass as script arguments ...
 >> I think this will allow for much more powerful tricks. For example 
do to an
 >> database lookup with keys to identify and authorize or deny access 
and so
 >> on...
 > Note that the current API can still do a database lookup by the user
 > account, as long as the database is able to enumerate the keys that are
 > acceptable for authorizing access.
This is also limited to the username. What if we have only a user for ex 
'git' accessed by many users? So we need to identify them by pub keys 
like Github does. This also will allow more flexibility on controlling 
this action, custom acl's and so on...
 >     --dkg
 >
 > [0] https://tools.ietf.org/html/rfc4252#section-7
 >