pubkey fingerprint and krb princ name in environment

Damien Miller djm at mindrot.org
Tue Dec 30 12:09:30 EST 2014


On Sun, 28 Dec 2014, Johannes L?thberg wrote:

> Hey,
> 
> I use gitolite for git hosting on my server, and because I want to use
> kerberos authentication I patched OpenSSH to put the name of the kerberos
> principal name or the ssh fingerprint as environment variables so my
> ForceCommand script can use them to actually authorize the user by the
> principal/fingerprint.

Nice - I've written something similar for private use in the past.
The main reason why something like this isn't in sshd already is
that I haven't reworked it to handle multiple authentication.

As of last week, sshd keeps a list of the user public keys that were
used in authentication. This should make implementing the pubkey bit
of this easier...

-d


More information about the openssh-unix-dev mailing list