pass fingerprint to authorizedkeyscommand

Jason A. Donenfeld Jason at
Mon Jun 10 04:20:00 EST 2013

Hi guys,

It might be nice if AuthorizedKeysCommand would receive the fingerprint of
the offered key as an argument, so that programs like gitolite could
implement more refined key-based identity lookup that offers better
performance than AuthorizedKeysFile's linear scan.

The following patch is untested but is the basic idea:

diff -ru openssh-6.2p1/auth2-pubkey.c openssh-6.2p1-modified/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c 2013-02-15 00:28:56.000000000 +0100
+++ openssh-6.2p1-modified/auth2-pubkey.c 2013-06-09 20:07:15.039975210
@@ -554,7 +554,8 @@

-    options.authorized_keys_command, user_pw->pw_name, NULL);
+    options.authorized_keys_command, user_pw->pw_name,
+    key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), NULL);

  error("AuthorizedKeysCommand %s exec failed: %s",
     options.authorized_keys_command, strerror(errno));

Does this sound interesting?


More information about the openssh-unix-dev mailing list