patch to send incoming key to AuthorizedKeysCommand via stdin

Daniel Kahn Gillmor dkg at
Sat Mar 22 00:49:21 EST 2014

On 03/21/2014 02:54 AM, Marc Haber wrote:
> I would not do that in stdin as this precludes many standard commands
> from being used here. How about environment variables for key,
> fingerprint and probably comment?

If you have the key, you don't need the fingerprint.

> Wait, the ssh server doesn't know about a key's comment, does it?

the comment is irrelevant to the authorization process, since it's not
explicitly bound to the key at all (try exiting the comment in either
your or in .ssh/authorized_keys -- a mismatch has no effect).

Given that, i think authorizedkeyscommand only needs access to the key.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list