patch to send incoming key to AuthorizedKeysCommand via stdin

Scott Duckworth sduckwo at clemson.edu
Fri Mar 21 06:58:25 EST 2014


Hi all,

I'm new to the list, so please forgive me if this is duplicated effort.

I have created a patch for openssh which modifies the AuthorizedKeysCommand
directive so that the incoming user's public key is sent to the specified
program via stdin.  This provides a means to identify the connecting user
based solely on their public key and not just by the username.

The inspiration for this was to be able to provide a service similar to
GitHub or Bitbucket, where a user uploads their SSH public key(s) via a web
interface and accesses their repositories over SSH using a common user
account like "git" or "hg". However, there are likely many other use cases.

The patches for different openssh versions can be found at
https://bitbucket.org/ClemsonSoCUnix/django-sshkey.  The README.md file
describes some caveats, including the possibility for deadlock if the
command specified with AuthorizedKeysCommand does not fully consume or
close its standard input.

I've been running the modified code in production with ~100 users on 6.2p2
for 7 months now with no known issues.  I welcome any feedback on the
patches.

Scott


More information about the openssh-unix-dev mailing list