Johannes Löthberg
2014-Dec-28 14:12 UTC
pubkey fingerprint and krb princ name in environment
Hey,
I use gitolite for git hosting on my server, and because I want to use
kerberos authentication I patched OpenSSH to put the name of the
kerberos principal name or the ssh fingerprint as environment variables
so my ForceCommand script can use them to actually authorize the user by
the principal/fingerprint.
It?s a bit annoying to keep my own patch and I thought it might be
something that others might find useful too, so I thought I?d send an
email to see if there would be any interest in including this upstream.
Both patches are attached, the kerberos principal being made by Sven
Geggus, an the pubkey fingerprint one being written by me. Any comments
on both would be well appreciated.
--
Sincerely,
Johannes L?thberg
PGP Key ID: 0x50FB9B273A9D0BB5
https://theos.kyriasis.com/~kyrias/
-------------- next part --------------
--- gss-serv-krb5.c.orig 2012-07-12 14:33:31.117551679 +0200
+++ gss-serv-krb5.c 2012-07-12 14:34:30.319020970 +0200
@@ -104,6 +104,11 @@
} else
retval = 0;
+#ifdef USE_PAM
+ if (options.use_pam)
+ do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char
*)client->displayname.value);
+#endif
+
krb5_free_principal(krb_context, princ);
return retval;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pubkey_fingerprint.patch
Type: text/x-diff
Size: 361 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141228/a4082cbc/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 1495 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141228/a4082cbc/attachment-0001.bin>
On Sun, 28 Dec 2014, Johannes L?thberg wrote:> Hey, > > I use gitolite for git hosting on my server, and because I want to use > kerberos authentication I patched OpenSSH to put the name of the kerberos > principal name or the ssh fingerprint as environment variables so my > ForceCommand script can use them to actually authorize the user by the > principal/fingerprint.Nice - I've written something similar for private use in the past. The main reason why something like this isn't in sshd already is that I haven't reworked it to handle multiple authentication. As of last week, sshd keeps a list of the user public keys that were used in authentication. This should make implementing the pubkey bit of this easier... -d
Johannes Löthberg
2015-Jan-08 10:08 UTC
pubkey fingerprint and krb princ name in environment
[Accidentally replied directly instead of to the list, sorry ?bout that] On 30/12, Damien Miller wrote:> As of last week, sshd keeps a list of the user public keys that were > used in authentication. This should make implementing the pubkey bit > of this easier... >Does it store the whole key, the fp or both? Because just the fingerprint is just a single line. Anyway, that?s awesome! -- Sincerely, Johannes L?thberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1495 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150108/4c0c883f/attachment.bin>