openssh unix dev - Mar 2014 - patch to send incoming key to AuthorizedKeysCommand via stdin

Hi all,

I'm new to the list, so please forgive me if this is duplicated effort.

I have created a patch for openssh which modifies the AuthorizedKeysCommand
directive so that the incoming user's public key is sent to the specified
program via stdin.  This provides a means to identify the connecting user
based solely on their public key and not just by the username.

The inspiration for this was to be able to provide a service similar to
GitHub or Bitbucket, where a user uploads their SSH public key(s) via a web
interface and accesses their repositories over SSH using a common user
account like "git" or "hg". However, there are likely many
other use cases.

The patches for different openssh versions can be found at
https://bitbucket.org/ClemsonSoCUnix/django-sshkey.  The README.md file
describes some caveats, including the possibility for deadlock if the
command specified with AuthorizedKeysCommand does not fully consume or
close its standard input.

I've been running the modified code in production with ~100 users on 6.2p2
for 7 months now with no known issues.  I welcome any feedback on the
patches.

Scott

On 03/20/2014 03:58 PM, Scott Duckworth wrote:
> I have created a patch for openssh which modifies the AuthorizedKeysCommand
> directive so that the incoming user's public key is sent to the
specified
> program via stdin.  This provides a means to identify the connecting user
> based solely on their public key and not just by the username.
This sounds like a good approach to me; you're not the first person to
consider this, but i like the semantics of your proposal better than
other proposals i've seen.  Could you provide the patch against the
mainline as an attachment to:

https://bugzilla.mindrot.org/show_bug.cgi?id=2081

with a brief comment about how what you've done is different from what's
there already?
> The patches for different openssh versions can be found at
> https://bitbucket.org/ClemsonSoCUnix/django-sshkey.  The README.md file
> describes some caveats, including the possibility for deadlock if the
> command specified with AuthorizedKeysCommand does not fully consume or
> close its standard input.
This is worrisome.  sshd itself shouldn't be adversely affected by
subcommand failing to process the data in any way.  Do you see any way
to make sshd more robust in this case?  (e.g. what if the key was
provided as another command line parameter instead of stdin)

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140320/a049ae8f/attachment.bin>

On Thu, Mar 20, 2014 at 03:58:25PM -0400, Scott Duckworth
wrote:
> I have created a patch for openssh which modifies the AuthorizedKeysCommand
> directive so that the incoming user's public key is sent to the
specified
> program via stdin.
I would not do that in stdin as this precludes many standard commands
from being used here. How about environment variables for key,
fingerprint and probably comment?

Wait, the ssh server doesn't know about a key's comment, does it?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im
Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062