openssh unix dev - Feb 2014 - Make SSH_ORIGINAL_COMMAND available in AuthorizedKeysCommand context

Hi

Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful, I'd like to
know if it might be possible to access it in the AuthorizedKeysCommand
context (via env ?). Is this possible ?  can anybody give me advice on
going into this ?

If possible, I'll use this SSH_ORIGINAL_COMMAND to send client specifics
information to the AuthorizedKeysCommand script. Currently, the only
alternative to this is to use the login itself (we have around 30k+
different 'hosts' that  might want to connect to our servers) to
identify
the client, but that come with the need of a custom nss endpoint
configuration (we use libnss-pgsql2 ) to support dynamic user lookup, and
more work (to manage uid & co)

Using 'one' standard user file was enough (and a lot simplier), as those
hosts don't need to do anything but to setup a revert port forwarding
rule, and are bound to a very limited shell.


My (now useless) /home/host_controler/.ssh/authorized_keys  file (build on
a cron run) was like :
command="limited_shell.sh  --host_id=XXX1 $SSH_ORIGINAL_COMMAND"
ssh-rsa
pubkey of host 1"
command="limited_shell.sh --host_id=XXX2 $SSH_ORIGINAL_COMMAND"
ssh-rsa
pubkey of host 2"
command="limited_shell.sh --host_id=XXX3 $SSH_ORIGINAL_COMMAND"
ssh-rsa
pubkey of host 3"
...



Thank you very much for your help
Francois Leurent

On Wed, 5 Feb 2014, Francois Leurent wrote:
> Hi
>
> Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful,
> I'd like to know if it might be possible to access it in the
> AuthorizedKeysCommand context (via env ?). Is this possible ? can
> anybody give me advice on going into this ?
Can't be done sorry - authentication happens well before the command is
sent.

When command="..." is specified in authorized_keys and the output of
AuthorizedKeysCommand, it's just saving the restriction for later once
authentication has completed and the protocol has progressed far enough
for the client to request a shell or command execution.

-d