Hi guys,
It might be nice if AuthorizedKeysCommand would receive the fingerprint of
the offered key as an argument, so that programs like gitolite could
implement more refined key-based identity lookup that offers better
performance than AuthorizedKeysFile's linear scan.
The following patch is untested but is the basic idea:
diff -ru openssh-6.2p1/auth2-pubkey.c openssh-6.2p1-modified/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c 2013-02-15 00:28:56.000000000 +0100
+++ openssh-6.2p1-modified/auth2-pubkey.c 2013-06-09 20:07:15.039975210
+0200
@@ -554,7 +554,8 @@
}
execl(options.authorized_keys_command,
- options.authorized_keys_command, user_pw->pw_name, NULL);
+ options.authorized_keys_command, user_pw->pw_name,
+ key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), NULL);
error("AuthorizedKeysCommand %s exec failed: %s",
options.authorized_keys_command, strerror(errno));
Does this sound interesting?
Thanks,
Jason
On 06/09/2013 02:20 PM, Jason A. Donenfeld wrote:> It might be nice if AuthorizedKeysCommand would receive the fingerprint of > the offered key as an argument, so that programs like gitolite could > implement more refined key-based identity lookup that offers better > performance than AuthorizedKeysFile's linear scan.I like this proposal. A similar suggestions came up on January 14th of this year, in the thread started by Katsumoto San, Subject: "AuthorizedKeysCommand": http://marc.info/?t=135817865200002&r=1&w=2 If the goal is to pass information about the key, i'd rather that the information passed was the entire key, not just the fingerprint. Maybe your patch could put the full key in some canonical form as the next parameter instead of just the fpr? One nice thing about your proposed patch is that existing AuthorizedKeysCommand implementations will still work, but newer implementations can take advantage of the second parameter (if present) to minimize the work they need to do. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130609/7bb49e26/attachment.bin>
Possibly Parallel Threads
- AuthorizedKeysCommand
- Using AuthorizedKeysCommand in unprivileged sshd mode
- [Bug 2655] New: AuthorizedKeysCommand with large output can deadlock
- [Bug 2367] New: AuthorizedKeysCommand add key fingerprint as second argument
- [Bug 2081] New: extend the parameters to the AuthorizedKeysCommand