[Bug 983] Required authentication

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Sep 17 21:39:50 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=983

--- Comment #43 from David Woodhouse <dwmw2 at infradead.org> 2011-09-17 21:39:50 EST ---
My use case for this is to run a PAM stack *after* pubkey
authentication, and one environment in which I want to do that is for
something like gitolite — where multiple people each have their own SSH
key installed, but there is only one local user. We want to use keys
*and* a one-time password.

It would be really useful if the PAM stack could know *which* SSH key
was used to authenticate. Then we can have an OTP setup for each human
being rather than just having a single shared one.

This kind of thing should probably do it. This makes the two-step
authentication much more useful for us.

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 137887e..68f1a6a 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -350,6 +350,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
             verbose("Accepted certificate ID \"%s\" "
                 "signed by %s CA %s via %s", key->cert->key_id,
                 key_type(found), fp, file);
+#ifdef USE_PAM
+            if (options.use_pam) {
+                do_pam_putenv("SSH_PUBKEY_TYPE", "X509");
+                do_pam_putenv("SSH_PUBKEY", key->cert->key_id);
+            }
+#endif
             xfree(fp);
             found_key = 1;
             break;
@@ -365,6 +371,12 @@ user_key_allowed2(struct passwd *pw, Key *key,
char *file)
             fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
             verbose("Found matching %s key: %s",
                 key_type(found), fp);
+#ifdef USE_PAM
+            if (options.use_pam) {
+                do_pam_putenv("SSH_PUBKEY_TYPE", key_type(found));
+                do_pam_putenv("SSH_PUBKEY", fp);
+            }
+#endif
             xfree(fp);
             break;
         }

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.


More information about the openssh-bugs mailing list