SSH users authentication depending on their public key.

[Thomas Martin]

>> Alternately (and this is easier to do). You could move the
>> AuthorizedKeysFile to be root-controlled (root-owned file and directory),
>> comment out the parts of session.c that load ~/.ssh/environment and
>> then turn PermitUserEnvironment back on. The user would have no way of
>> setting arbitrary environment variables (assuming they don't have root)
>> and you could use environment=... options in authorized_keys as much
>> as you like.
>>
>> -d
>
> I already have authorized_keys files in a read-only directory so
> indeed this trick could do the job (actually I hoped to avoid to
> recompile OpenSSH but why not).
>

I did what you suggested and it seems to work as expected.
Here is the diff (based on Debian Squeeze OpenSSH sources):

diff -rupN openssh-5.5p1/session.c openssh-5.5p1.new/session.c
--- openssh-5.5p1/session.c    2010-03-26 01:04:09.000000000 +0100
+++ openssh-5.5p1.new/session.c    2013-05-23 16:44:49.000000000 +0200
@@ -1289,11 +1289,13 @@ do_setup_env(Session *s, const char *she
             auth_sock_name);

     /* read $HOME/.ssh/environment. */
+    /*
     if (options.permit_user_env && !options.use_login) {
         snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
             strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
         read_environment_file(&env, &envsize, buf);
     }
+    */
     if (debug_flag) {
         /* dump the environment */
         fprintf(stderr, "Environment:\n");

Yes I just had to comment 5 lines :X (what a great first patch in C ;).

Thanks again for the suggestion, I think it will do the job without
adding potentials security issues.


Thomas