OpenSSH Linux portable patch proposal
Damien Miller
djm at mindrot.org
Wed Jun 3 10:01:07 AEST 2015
On Tue, 2 Jun 2015, Gy?rgy Demarcsek Ifj. wrote:
> Dear OpenSSH Developers,
>
> I would like to propose a patch to OpenSSH for Linux. In the recent few
> months, I have encountered a scenario where a PAM module used for
> authentication in SSH should be informed about the previous successful
> authentication methods. I described the complete scenario here:
> http://serverfault.com/questions/690038/openssh-two-factor-authentication-combined-with-kerberos-public-key
I've wanted to expose more information about how the user authenticated
to the environment for a while, but I think that if we do it then we
should include (at least) key fingerprints too. Something like:
SSH_USER_AUTH=hostbased RSA SHA256:Iw75Ex+Re8WyIjqHEukxHtwz2weTFTBLPD2J9doYEfU, publickey CA ED25519 SHA256:rLKEbjpoN2+kuMQB7EiPqaeHut65ZfSe/z1EaWtKEmk Cert ID djm at mindrot.org Serial 27908739, password
We could probably expose this to PAM as well, as SSH_COMPLETED_AUTH or
similar.
Could you please file a bug at https://bugzilla.mindrot.org/ to track
this feature?
-d
More information about the openssh-unix-dev
mailing list