pubkey fingerprint and krb princ name in environment

Johannes Löthberg johannes at
Mon Dec 29 01:12:51 EST 2014


I use gitolite for git hosting on my server, and because I want to use 
kerberos authentication I patched OpenSSH to put the name of the 
kerberos principal name or the ssh fingerprint as environment variables 
so my ForceCommand script can use them to actually authorize the user by 
the principal/fingerprint.

It’s a bit annoying to keep my own patch and I thought it might be 
something that others might find useful too, so I thought I’d send an 
email to see if there would be any interest in including this upstream.

Both patches are attached, the kerberos principal being made by Sven 
Geggus, an the pubkey fingerprint one being written by me. Any comments 
on both would be well appreciated.

  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
--- gss-serv-krb5.c.orig	2012-07-12 14:33:31.117551679 +0200
+++ gss-serv-krb5.c	2012-07-12 14:34:30.319020970 +0200
@@ -104,6 +104,11 @@
 	} else
 		retval = 0;
+#ifdef USE_PAM
+        if (options.use_pam)
+             do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value);
 	krb5_free_principal(krb_context, princ);
 	return retval;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pubkey_fingerprint.patch
Type: text/x-diff
Size: 361 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 1495 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list