openssh unix dev - Oct 2011 - Handing connection depending on the client computer public key fingerprint

Hello,


I try to find a way to handle SSH connections differently depending if it comes
from a 'trusted" computer or from an unknown computer (for instance
giving access to a shell versus allowing only scp/sftp in a chrooted
environment).
Using the IP address is not a solution since a trusted computer can be a laptop
that is connected somewhere on Internet.
One solution could be to use the client?public key fingerprint;?the server would
then keep a white list of public key fingerprints that represent the trusted
computers.

However I can't find a way to implement this.
I tried with the Match directive, but this one doesn't take such parameter
I tried too with a ForceCommand, but fount no way to configure sshd to transmit
the?public key fingerprint to the script.

Is there any way to do that?

Thanks a lot for your help,

Mike S.

On Fri, Oct 21, 2011 at 15:40:30 -0500, Mike Spinzer
wrote:
> Hello,
> 
> 
> I try to find a way to handle SSH connections differently depending if it
comes from a 'trusted" computer or from an unknown computer (for
instance giving access to a shell versus allowing only scp/sftp in a chrooted
environment).
> Using the IP address is not a solution since a trusted computer can be a
laptop that is connected somewhere on Internet.
> One solution could be to use the client?public key fingerprint;?the server
would then keep a white list of public key fingerprints that represent the
trusted computers.
> 
> However I can't find a way to implement this.
> I tried with the Match directive, but this one doesn't take such
parameter
> I tried too with a ForceCommand, but fount no way to configure sshd to
transmit the?public key fingerprint to the script.
> 
> Is there any way to do that?
> 
> Thanks a lot for your help,
You first need to define what you mean by "trusted computer" in this
context. You presumably mean a set of public-keys for which you have
greater confidence and are thus willing to permit greater access.
However, unless the client and server systems are configured to use
hostbased authentication, the public key is really associated with a user _not_
a computer. In that case, you could place all "untrusted" users in a
single
group and use the Match directive to force a command such as
sftp-server. Or you could set the shell for these untrusted users to
scponly; asuming that scponly is still around.

-- 
Iain Morgan

On Fri, 21 Oct 2011, Mike Spinzer wrote:
> Hello,
>
>
> I try to find a way to handle SSH connections differently depending
> if it comes from a 'trusted" computer or from an unknown computer
> (for instance giving access to a shell versus allowing only scp/sftp
> in a chrooted environment). Using the IP address is not a solution
> since a trusted computer can be a laptop that is connected somewhere
> on Internet. One solution could be to use the client public key
> fingerprint; the server would then keep a white list of public key
> fingerprints that represent the trusted computers.
>
> However I can't find a way to implement this. I tried with the Match
> directive, but this one doesn't take such parameter I tried too with
> a ForceCommand, but fount no way to configure sshd to transmit the
> public key fingerprint to the script.
This seems like a reasonable feature request. Perhaps we could expose
the key or its fingerprint in a SSH_AUTH_KEY environment variable.

The only complexity is in transmitting the key from the pre-auth
privsep child up to the monitor process so it is available in the
session code later.

-d