I see that support for AuthorizedKeysCommand has been added. The arguments supplied to the command is just the authenticating user. Can we add the SSH connection details (ie. source and destination IPs and ports) as well? This command seems to be the idea way of requiring one set of credentials from inside an organisation (say the user's own authorized_keys file) and another set from outside (say 2 factor smart card keys). To do this the command needs to know where the connection is coming from. I can see a similar reason for knowing the destination IP or port. We could use a cumbersome Match statement, but why not make all the information available to the AuthorizedKeysCommand command? Anthony
On 20/11/12 20:51, Anthony R Fletcher wrote:> I see that support for AuthorizedKeysCommand has been added. The > arguments supplied to the command is just the authenticating user. Can > we add the SSH connection details (ie. source and destination IPs and > ports) as well? > > This command seems to be the idea way of requiring one set of > credentials from inside an organisation (say the user's own > authorized_keys file) and another set from outside (say 2 factor smart > card keys). > > To do this the command needs to know where the connection is coming > from. I can see a similar reason for knowing the destination IP or port. > > We could use a cumbersome Match statement, but why not make all the > information available to the AuthorizedKeysCommand command?Maybe it should get the environment variable SSH_CONNECTION that is sent on a ssh session. (the deprecated SSH_CLIENT is a subset, so no need to expose that)
?ngel Gonz?lez wrote:> > why not make all the information available to the > > AuthorizedKeysCommand command? > > Maybe it should get the environment variable SSH_CONNECTION that > is sent on a ssh session.What would a patch look like? //Peter
> -----Original Message----- > From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org > [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On > Behalf Of Peter Stuge > Sent: Tuesday, November 20, 2012 2:07 PM > To: openssh-unix-dev at mindrot.org > Subject: Re: Connection info with AuthorizedKeysCommand > > ?ngel Gonz?lez wrote: > > > why not make all the information available to the > > > AuthorizedKeysCommand command? > > > > Maybe it should get the environment variable SSH_CONNECTION that is > > sent on a ssh session. > > What would a patch look like?[[SAN]] I think the AuthorizedKeysCommand should just read its environment for SSH_CONNECTION.
On Tue, 20 Nov 2012, Anthony R Fletcher wrote:> I see that support for AuthorizedKeysCommand has been added. The > arguments supplied to the command is just the authenticating user. Can > we add the SSH connection details (ie. source and destination IPs and > ports) as well? > > This command seems to be the idea way of requiring one set of > credentials from inside an organisation (say the user's own > authorized_keys file) and another set from outside (say 2 factor smart > card keys). > > To do this the command needs to know where the connection is coming > from. I can see a similar reason for knowing the destination IP or port.An AuthorizedKeysCommand can emit lines with from="" phrases to achieve the same effect. Anything that works in authorized_keys works in the output of AuthorizedKeysCommand.> We could use a cumbersome Match statement, but why not make all the > information available to the AuthorizedKeysCommand command?AuthorizedKeysCommand should be as simple as possible, I don't want to burden it with lots of options, especially when the authorized_keys format is quite powerful as it is. -d