patch to send incoming key to AuthorizedKeysCommand via stdin

Daniel Kahn Gillmor dkg at
Sun Mar 23 03:05:46 EST 2014

On 03/21/2014 07:59 PM, Eldon Koyle wrote:
> It looks like they are all over the place.  See:
> for some actual numbers (however a lot of those seem to be pretty
> obscure *NIX variants).

nice find.  With the exception of a few operating systems from the 1970s
(on which OpenSSH is unlikely to run anyway), those are all at least
5KiB, which is about double the largest possible key size generated by
OpenSSH's ssh-keygen.

> You can check sysconf(_SC_ARG_MAX) to get an idea of the size limit.
> See:
> for more detailed information.
> Also, setenv/putenv should return an error rather than overflow the
> buffer if the variable is too large.

similarly, exec should fail with E2BIG if the data is too large.

So this is testable at runtime, when the peer sends a large key; in the
event that the variable is too large, AuthorizedKeysCommand would simply
fail closed.  I think this is reasonable.

We could also deliberately constrain the key size, and decline to
execute AuthorizedKeysCommand (or execute it without passing any key as
an environment variable or argument) if the client's proposed key is
larger than the largest key generated by ssh-keygen (16Kib at the
moment).  This strikes me as a reasonable limit.

> The only other concern would be a buffer overflow in the
> AuthorizedKeysCommand.  See:
> for an example.

sure, but this is a risk whether the data comes in via environment
variables or stdin or argv or a local file, right?

Given the discussion, i'm still leaning toward either an environment
variable or argv.  given that we're already using argv for the username,
i think a second argv parameter would be the cleanest.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list