pass fingerprint to authorizedkeyscommand
Jason A. Donenfeld
Jason at zx2c4.com
Mon Jun 10 04:20:00 EST 2013
Hi guys,
It might be nice if AuthorizedKeysCommand would receive the fingerprint of
the offered key as an argument, so that programs like gitolite could
implement more refined key-based identity lookup that offers better
performance than AuthorizedKeysFile's linear scan.
The following patch is untested but is the basic idea:
diff -ru openssh-6.2p1/auth2-pubkey.c openssh-6.2p1-modified/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c 2013-02-15 00:28:56.000000000 +0100
+++ openssh-6.2p1-modified/auth2-pubkey.c 2013-06-09 20:07:15.039975210
+0200
@@ -554,7 +554,8 @@
}
execl(options.authorized_keys_command,
- options.authorized_keys_command, user_pw->pw_name, NULL);
+ options.authorized_keys_command, user_pw->pw_name,
+ key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), NULL);
error("AuthorizedKeysCommand %s exec failed: %s",
options.authorized_keys_command, strerror(errno));
Does this sound interesting?
Thanks,
Jason
More information about the openssh-unix-dev
mailing list