openssh unix dev - Nov 2018 - [PATCH] Expose the source address in AuthorizedKeysCommand

We can already inject 'from=' restrictions in the output of
``AuthorizedKeyCommand`` but we can not change the behavior of this
command based on the source address.

With the source address, it is possible for example to build a "Trust on
first use" mechanism similar to the ``StrictHostKeyChecking=accept-new``

This is useful in scenarios where a cluster of computers is
automatically provisioned in a trusted environment and then sent in the
field.

Signed-off-by: Jean-Tiare Le Bigot <jean-tiare.le-bigot at easymile.com>
---
 auth2-pubkey.c | 1 +
 sshd_config.5  | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950e..b61706e8 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -933,6 +933,7 @@ user_key_command_allowed2(struct ssh *ssh, struct
passwd *user_pw,
                    "t", sshkey_ssh_name(key),
                    "f", key_fp,
                    "k", keytext,
+                   "a", ssh_remote_ipaddr(ssh),
                    (char *)NULL);
                if (tmp == NULL)
                        fatal("%s: percent_expand failed", __func__);
diff --git a/sshd_config.5 b/sshd_config.5
index c6484370..61dd180c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1773,10 +1773,12 @@ The key or certificate type.
 The numeric user ID of the target user.
 .It %u
 The username.
+.It %a
+The connection source IP address.
 .El
 .Pp
 .Cm AuthorizedKeysCommand
-accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
+accepts the tokens %%, %f, %h, %k, %t, %U, %u and %a.
 .Pp
 .Cm AuthorizedKeysFile
 accepts the tokens %%, %h, %U, and %u.
--
2.17.1

Hi,

I'm not quite sure this this is the right place to propose this patch. If
there is better place, could you hint me where to propose it ?

Thanks,

On Fri, 9 Nov 2018 at 16:06, Jean-Tiare LE BIGOT <
jean-tiare.le-bigot at easymile.com> wrote:
> We can already inject 'from=' restrictions in the output of
> ``AuthorizedKeyCommand`` but we can not change the behavior of this
> command based on the source address.
>
> With the source address, it is possible for example to build a "Trust
on
> first use" mechanism similar to the
``StrictHostKeyChecking=accept-new``
>
> This is useful in scenarios where a cluster of computers is
> automatically provisioned in a trusted environment and then sent in the
> field.
>
> Signed-off-by: Jean-Tiare Le Bigot <jean-tiare.le-bigot at
easymile.com>
> ---
>  auth2-pubkey.c | 1 +
>  sshd_config.5  | 4 +++-
>  2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/auth2-pubkey.c b/auth2-pubkey.c
> index 2fb5950e..b61706e8 100644
> --- a/auth2-pubkey.c
> +++ b/auth2-pubkey.c
> @@ -933,6 +933,7 @@ user_key_command_allowed2(struct ssh *ssh, struct
> passwd *user_pw,
>                     "t", sshkey_ssh_name(key),
>                     "f", key_fp,
>                     "k", keytext,
> +                   "a", ssh_remote_ipaddr(ssh),
>                     (char *)NULL);
>                 if (tmp == NULL)
>                         fatal("%s: percent_expand failed",
__func__);
> diff --git a/sshd_config.5 b/sshd_config.5
> index c6484370..61dd180c 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -1773,10 +1773,12 @@ The key or certificate type.
>  The numeric user ID of the target user.
>  .It %u
>  The username.
> +.It %a
> +The connection source IP address.
>  .El
>  .Pp
>  .Cm AuthorizedKeysCommand
> -accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
> +accepts the tokens %%, %f, %h, %k, %t, %U, %u and %a.
>  .Pp
>  .Cm AuthorizedKeysFile
>  accepts the tokens %%, %h, %U, and %u.
> --
> 2.17.1
>

-- 
Jean-Tiare Le Bigot