patch to send incoming key to AuthorizedKeysCommand via stdin

Scott Duckworth sduckwo at
Sat Mar 22 02:16:17 EST 2014

On Friday, March 21, 2014, Daniel Kahn Gillmor <dkg at> wrote:
> On 03/21/2014 02:54 AM, Marc Haber wrote:
> > I would not do that in stdin as this precludes many standard commands
> > from being used here. How about environment variables for key,
> > fingerprint and probably comment?
> If you have the key, you don't need the fingerprint.
> Given that, i think authorizedkeyscommand only needs access to the key.

The problem with passing the key in an environment variable is a
potential for overflowing the available space (see the "limits on size
of arguments and environment" section on  Passing the
fingerprint may be a better option. If there is a fingerprint
collision then the AuthorizedKeysCommand can just print out all of
them and leave it up to sshd to find the exact match, which it already
does anyways.

In my use case of this feature I'm already storing the fingerprints
along with the keys in a database and my AuthorizedKeysCommand
performs the lookup based only on the fingerprint. In other words, not
having the full key would be fine. I realize this may not be the case
for everybody but maybe it's good enough?

More information about the openssh-unix-dev mailing list