Christoph Anton Mitterer
2015-Feb-28 05:03 UTC
[PATCH v1] pass-key-fingerprint-to-authorized-keys-command
Hi. The attached patch[0] (which I've admittedly haven't had time just now to check whether it actually works - but it should at least serve as a discussion base) would make sshd pass a 2nd argument to the authorized keys command. The idea is, as the commit message says, that programs like Gitolite, which my have many (up to the range of thousands) keys per single username (for example ?git?) can use that fingerprint in order to efficiently retrieve that matching key(s) from a database (or something like that). Right now, such programs suffer quite a lot, when sshd linearly parses an authorized_keys file with a gazillion of entries. Most likely, legacy authorized keys commands shouldn?t be affected by this, at least unless they check for a maximum number for command arguments. Right now I'm just a bit worried about two issues: - using MD5,... which may be appropriate for the idea from above, but people might also use the whole thing in a different (security related) way... and there MD5 should be a no-go. - not encoding the presented hash alog (which makes the whole thing unchangeable forever i.e. perhaps one should rather use pass arguments like johndoe -md5=e702125c0dfcb8801a07ddd8ef719ab8 or johndoe md5 e702125c0dfcb8801a07ddd8ef719ab8 (even though I'd probably tend to the former) What do you guys think? Cheers, Chris. [0] Based on an idea by Sitaram Chamarty and a patch from Jason A. Donenfeld. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pass-key-fingerprint-to-authorized-keys-command.patch Type: text/x-patch Size: 2455 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150228/6f4de89b/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150228/6f4de89b/attachment-0001.bin>
Damien Miller
2015-Feb-28 08:57 UTC
[PATCH v1] pass-key-fingerprint-to-authorized-keys-command
On Sat, 28 Feb 2015, Christoph Anton Mitterer wrote:> Hi. > > The attached patch[0] (which I've admittedly haven't had time just now > to check whether it actually works - but it should at least serve as a > discussion base) would make sshd pass a 2nd argument to the authorized > keys command.There is a patch out for review at https://bugzilla.mindrot.org/show_bug.cgi?id=2081 already -d