[Bug 2712] New: Add fingerprint of key used for public key authentication to PAM handle

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun May 7 08:39:02 AEST 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2712

            Bug ID: 2712
           Summary: Add fingerprint of key used for public key
                    authentication to PAM handle
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: seroland86 at gmail.com

I have developed a PAM module that creates the authorized_keys file
from X.509 certificates obtained from LDAP. If specified there are
cases where public keys from user a,b,...,n are synced into the
authorized_keys file of user x. Right now I don't have any possibility
to figure out which actual user has now logged in on behalf of user x.

A solution to this problem is that OpenSSH makes the fingerprint of the
key that has been (succesfully) used during public key authentication
available within the PAM space (pam_set_data() / pam_putenv()).

In this case one could hook in another PAM module e.g. for session
management that obtains the fingerprint and work with it (e.g. mapping
to user and making it available in user environment).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list