sshd: SSH_CLIENT_CERT and SSH_CLIENT_PUBKEY env variables
Anton Worshevsky
gbdj at gbdj.ru
Fri May 5 02:45:42 AEST 2017
On Wed, 26 Apr 2017 10:52:07 +0200
Jakub Jelen <jjelen at redhat.com> wrote:
JJ> > There are environment variables SSH_CLIENT and SSH_CONNECTION
JJ> > with information about client of current session.
JJ> >
JJ> > I want to implement new variables with info about credentials used for session authentication.
JJ> > Such as:
JJ> >
JJ> > SSH_CLIENT_CERT
JJ> > SSH_CLIENT_CERT_ID
JJ> > SSH_CLIENT_CERT_PRINCIPALS
JJ> >
JJ> > SSH_CLIENT_PUBKEY
JJ> > SSH_CLIENT_PUBKEY_FINGERPRINT
JJ> >
JJ> > Some of that information available in logs but not inside the session.
JJ> > Is there good reason why it's not implemented yet?
JJ> > Do i need to hold myself from writing it? =)
JJ>
JJ> very similar thing was already implemented by and waits for review, more
JJ> use cases or higher interest by users:
JJ>
JJ> https://bugzilla.mindrot.org/show_bug.cgi?id=2408
JJ>
JJ> This creates variables SSH_USER_AUTH which contains all the successfully
JJ> used authentication methods with all the needed information. It also
JJ> provides configuration options to expose these information to PAM (for
JJ> possible additional authentication methods outside of SSH) or to user
JJ> session.
JJ>
JJ> Rather than implementing something new, it would be better to work on
JJ> improving this feature to suit your needs and merging it upstream.
Thank you for pointing me to the right direction.
After reading the patch I see now it's not so easy because of privilege separation.
Also PAM support will be usable in much more use cases.
I can not provide a review from security standpoint,
but I plan to test shell use case and enhance it if needed.
My use case:
Use sshd for authentication
but expose verified pubkey/certificate to API server application
for sophisticated authorization by role based access control.
PAM is not used by several reasons.
Regards,
--
Anton Worshevsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170504/b2fb89f1/attachment.bin>
More information about the openssh-unix-dev
mailing list