[PATCH v1] pass-key-fingerprint-to-authorized-keys-command

Christoph Anton Mitterer calestyo at scientia.net
Sat Feb 28 16:03:53 AEDT 2015 

Hi.

The attached patch[0] (which I've admittedly haven't had time just now
to check whether it actually works - but it should at least serve as a
discussion base) would make sshd pass a 2nd argument to the authorized
keys command.

The idea is, as the commit message says, that programs like Gitolite,
which my have many (up to the range of thousands) keys per single
username (for example “git”) can use that fingerprint in order to
efficiently retrieve that matching key(s) from a database (or something
like that).
Right now, such programs suffer quite a lot, when sshd linearly parses
an authorized_keys file with a gazillion of entries.


Most likely, legacy authorized keys commands shouldn’t be affected by
this, at least unless they check for a maximum number for command
arguments.


Right now I'm just a bit worried about two issues:
- using MD5,... which may be appropriate for the idea from above, but
  people might also use the whole thing in a different (security
  related) way... and there MD5 should be a no-go.
- not encoding the presented hash alog (which makes the whole thing
  unchangeable forever
  i.e. perhaps one should rather use pass arguments like
  johndoe -md5=e702125c0dfcb8801a07ddd8ef719ab8
  or
  johndoe md5 e702125c0dfcb8801a07ddd8ef719ab8
  (even though I'd probably tend to the former)


What do you guys think?

Cheers,
Chris.


[0] Based on an idea by Sitaram Chamarty and a patch from Jason A.
Donenfeld.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pass-key-fingerprint-to-authorized-keys-command.patch
Type: text/x-patch
Size: 2455 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150228/6f4de89b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150228/6f4de89b/attachment-0001.bin>

More information about the openssh-unix-dev mailing list