pass fingerprint to authorizedkeyscommand

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Jun 10 06:27:51 EST 2013


On 06/09/2013 02:20 PM, Jason A. Donenfeld wrote:

> It might be nice if AuthorizedKeysCommand would receive the fingerprint of
> the offered key as an argument, so that programs like gitolite could
> implement more refined key-based identity lookup that offers better
> performance than AuthorizedKeysFile's linear scan.

I like this proposal.

A similar suggestions came up on January 14th of this year, in the
thread started by Katsumoto San, Subject: "AuthorizedKeysCommand":

 http://marc.info/?t=135817865200002&r=1&w=2

If the goal is to pass information about the key, i'd rather that the
information passed was the entire key, not just the fingerprint.  Maybe
your patch could put the full key in some canonical form as the next
parameter instead of just the fpr?

One nice thing about your proposed patch is that existing
AuthorizedKeysCommand implementations will still work, but newer
implementations can take advantage of the second parameter (if present)
to minimize the work they need to do.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130609/7bb49e26/attachment.bin>


More information about the openssh-unix-dev mailing list