patch to send incoming key to AuthorizedKeysCommand via stdin

Scott Duckworth sduckwo at clemson.edu
Tue Mar 25 01:42:33 EST 2014


On Sun, Mar 23, 2014 at 4:59 AM, Peter Stuge <peter at stuge.se> wrote:
> What's the problem with forking and writing to the pipe from the
> parent only when it is writable?

If the child process does not explicitly close stdin then there is no way
to know if it is actually being read from.  All that is known is that you
can write *some* data to the pipe, but once the pipe's buffer fills up and
it is not emptied then the parent process (sshd) will block indefinitely.
The only way this could be avoided is by introducing some sort of timeout
to the write.  Polling to see when you can write without blocking won't be
enough because the child process may just be slow to read the pipe, or it
may have stopped reading before EOF.

The only safe way to pass the key via a pipe is to require any
AuthorizedKeysCommand to either explicitly close stdin or consume stdin
until EOF.  There's no way to enforce this in code, and there's likely
already a lot of commands in use that do neither of these.  Hence passing
the data in environment variables or parameters are the only safe ways to
do this.


More information about the openssh-unix-dev mailing list