SSH certificate and serverside ForceCommand

Alejandro Dabin aledabin at gmail.com
Tue Jun 30 07:48:52 AEST 2020


On 23 jun. 2020 a las 23:21, Damien Miller wrote:
> I think your best avenue would be to set ExposeAuthInfo=yes in
> sshd_config (note: requires a relatively recent sshd) and parse it out
> of the certificate listed in $SSH_USER_AUTH. E.g.
>
> grep "^publickey .*cert[a-z0-9-]*@openssh.com" $SSH_USER_AUTH \
>         | awk '{print $2 " " $3}' | ssh-keygen -Lf -

"ExposeAuthInfo" solves our use case because it allows to read the
certificate with user privilegies. It requires sshd >= 7.6, I was reading
the manual on my distro which uses 7.4.

Thank you all for your time, and for the great OpenSSH suite!

Regards, Ale


More information about the openssh-unix-dev mailing list