SSH users authentication depending on their public key.

Thomas Martin tmartincpp at gmail.com
Tue May 21 21:07:16 EST 2013


2013/5/21 Damien Miller <djm at mindrot.org>:
> Where SSH_USER is what, exactly?
>

SSH_USER is a string which represent a name (like "thomas" for example).


> There are proposals to expose the key (or fingerprint thereof) used to
> authenticate a user under SSH_AUTH_KEY, but there are some corner cases
> to do with multiple authentication to be worked out.

I saw the post which talk about SSH_AUTH_KEY, I think this is a good
possibility.


> I think PermitUserEnvironment is safe if the users' shell is statically
> linked and it clears LD_* before doing anything else. Maybe we should
> make it a pattern-list of variables to accept though. I.e.
>
> PermitUserEnvironment BLAH*,LC_*
>
> Would allow any environment variable matching the wildcards.

According to me that would be a really really great feature which
should improve a lot the security of the PermitUserEnvironment
directive.
Also you are probably right about the security of the shell itself, I
don't know is this is the case for bash, I will take a look.


> Alternately (and this is easier to do). You could move the
> AuthorizedKeysFile to be root-controlled (root-owned file and directory),
> comment out the parts of session.c that load ~/.ssh/environment and
> then turn PermitUserEnvironment back on. The user would have no way of
> setting arbitrary environment variables (assuming they don't have root)
> and you could use environment=... options in authorized_keys as much
> as you like.
>
> -d

I already have authorized_keys files in a read-only directory so
indeed this trick could do the job (actually I hoped to avoid to
recompile OpenSSH but why not).

Thanks.


More information about the openssh-unix-dev mailing list