patch to send incoming key to AuthorizedKeysCommand via stdin
Eldon Koyle
esk-openssh at esk.cs.usu.edu
Sat Mar 22 03:38:42 EST 2014
On Mar 20 16:17-0400, Daniel Kahn Gillmor wrote:
> On 03/20/2014 03:58 PM, Scott Duckworth wrote:
<snip>
> > The patches for different openssh versions can be found at
> > https://bitbucket.org/ClemsonSoCUnix/django-sshkey. The README.md file
> > describes some caveats, including the possibility for deadlock if the
> > command specified with AuthorizedKeysCommand does not fully consume or
> > close its standard input.
>
> This is worrisome. sshd itself shouldn't be adversely affected by
> subcommand failing to process the data in any way. Do you see any way
> to make sshd more robust in this case? (e.g. what if the key was
> provided as another command line parameter instead of stdin)
<snip>
Would it be reasonable to add another configuration option to specify
that you want to send the key via stdin to the AuthorizedKeysCommand,
and have it default to no/false? This should be enough to prevent
breakage of existing implementations while still allowing the new and
useful functionality.
--
Eldon Koyle
--
... Logically incoherent, semantically incomprehensible, and legally ...
impeccable!
More information about the openssh-unix-dev
mailing list