patch to send incoming key to AuthorizedKeysCommand via stdin

Stephen Harris lists at spuddy.org
Sat Mar 22 11:39:15 EST 2014


On Fri, Mar 21, 2014 at 05:59:13PM -0600, Eldon Koyle wrote:

> Also, setenv/putenv should return an error rather than overflow the
> buffer if the variable is too large.

I'm jumping in here, just because it's the last message in the thread
that I've received so far.

I'm not sure if this patch is solving a problem that really exists.

What's wrong with
  command="/path/to/command user1" ssh-dss key1...
  command="/path/to/command user2" ssh-dss key2...
  command="/path/to/command user3" ssh-dss key3...
I've been doing that for years.

If there is a problem then here's two alternatives...

If we _do_ want to allow the key to be passed, why not pass the signature
rather than the key?

If we actually want the real key then do something similar to agent
forwarding; put the used key into a (secure) temporary file and pass the
filename in an environment variable.  After the child process has exited
then clean up the temporary file.  Just like agent forwarding.  In this
case control it by another config file setting ("PassSSHkeyToSession yes")
so we don't write files for no good reason.

-- 

rgds
Stephen


More information about the openssh-unix-dev mailing list