bugzilla-daemon at mindrot.org
2012-Dec-23 14:50 UTC
[Bug 2054] New: Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 Bug ID: 2054 Summary: Environment fails to provide cryptographic identity of remote party Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Hardware: All OS: All Status: NEW Keywords: low-hanging-fruit, needs-release-note Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: walter.stanish at gmail.com I am implementing a system that has a number of near-identical cloud nodes connect back to a single system. Each node has the central system's host key pre-loaded, and the central system likewise has the remote host keys pre-loaded. This basic key distribution and network connectivity all works fine, and as expected. The problem is that the 'shell' program that executes when the cloud nodes connect needs to reliably determine the identity of the remote party, and the obvious place to do this is from sshd-initialized environment variables. Unfortunately, it seems that there is no way to determine the remote party's cryptographic identity using environment variables at present. This causes issues in my application, which needs to relay the identity information to the application but does not wish to either (1) create separate unix-level users for each remote host, or (2) trust the remote host's application-level claims to a given identity. I am therefore requesting that the OpenSSH development team consider adding a new environment variable, eg. SSH_REMOTE_KEY, that corresponds to some kind of public key identifier for the remote party. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2012-Dec-23 14:59 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 --- Comment #1 from walter.stanish at gmail.com --- Further note: the classic SSH_CONNECTION environment variable is not useful in our deployment as the cloud nodes will move about frequently (thus IP and port combination are too temporary to be meaningful). -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2012-Dec-23 23:45 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Assuming you're using public-key authentication (it's not clear if you're that or hostbased) you can use the "environment=" key directive in authorized_keys to implement something like this already, eg: environment="SSH_KEY=key1" AAAA[...]1 environment="SSH_KEY=key2" AAAA[...]2 see the section on "AUTHORIZED_KEYS FILE FORMAT" in sshd(8). Note that you'll need to enable PermitUserEnvironment in sshd_config for this to work. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Dec-24 00:27 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 --- Comment #3 from walter.stanish at gmail.com --- Thanks, that method worked. Given the implicit overhead of maintaining a modified authorized keys file, perhaps some kind of public key identifier environment variable might still be a useful (if optional) feature. Happy holidays :) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Dec-24 01:01 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 --- Comment #4 from Darren Tucker <dtucker at zip.com.au> --- actually I'd like to see something a bit more general: now that we have AuthenticationMethods, expose which ones were actually used as a comma-separated list with some optional identifying information, something like: SSH_AUTH_METHODS=password SSH_AUTH_METHODS=publickey(RSA;md5;11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee) SSH_AUTH_METHODS=keyboard-interactive,publickey(RSA;md5;11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee) not sure how much work this would be, though. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Dec-24 01:07 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 --- Comment #5 from walter.stanish at gmail.com --- How about a single environment variable that represents the most unique identifier available for the remote party, as viewed in terms of the authentication subsystem? This could be a hash like: <local_sshd_keyid_as_salt>:<scheme>:<scheme-specific data> Or perhaps simply: <scheme>:<scheme-specific data> In addition, detailed data such as that you suggest could be made available in separate, authentication-scheme-linked variables. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Oct-10 01:10 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |frbrgeorge at gmail.com --- Comment #6 from Damien Miller <djm at mindrot.org> --- *** Bug 1821 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Jan-14 04:39 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #7 from Damien Miller <djm at mindrot.org> --- This has been possible since the addition of the sshd_config ExposeAuthInfo directive, added in OpenSSH 7.6 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:59 UTC
[Bug 2054] Environment fails to provide cryptographic identity of remote party
bugzilla.mindrot.org/show_bug.cgi?id=2054 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #8 from Damien Miller <djm at mindrot.org> --- closing bugs resolved before openssh-8.9 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- Problems w/Asterisk Realtime + MySQL + SIP
- [PATCH 1/2] customize: minor function factoring in ssh_key
- [PATCH] customize: Add --ssh-inject option for injecting SSH keys.
- [PATCH] customize: Create .ssh as 0700 and .ssh/authorized_keys as 0600 (RHBZ#1260778).
- [PATCH 0/2] mllib: Add quote function to Common_utils module.