Anton Worshevsky
2017-Apr-26 03:00 UTC
sshd: SSH_CLIENT_CERT and SSH_CLIENT_PUBKEY env variables
Hello, There are environment variables SSH_CLIENT and SSH_CONNECTION with information about client of current session. I want to implement new variables with info about credentials used for session authentication. Such as: SSH_CLIENT_CERT SSH_CLIENT_CERT_ID SSH_CLIENT_CERT_PRINCIPALS SSH_CLIENT_PUBKEY SSH_CLIENT_PUBKEY_FINGERPRINT Some of that information available in logs but not inside the session. Is there good reason why it's not implemented yet? Do i need to hold myself from writing it? =) -- Anton Worshevsky -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170426/4a0852fe/attachment-0001.bin>
Jakub Jelen
2017-Apr-26 08:52 UTC
sshd: SSH_CLIENT_CERT and SSH_CLIENT_PUBKEY env variables
On 04/26/2017 05:00 AM, Anton Worshevsky wrote:> Hello, > > There are environment variables SSH_CLIENT and SSH_CONNECTION > with information about client of current session. > > I want to implement new variables with info about credentials used for session authentication. > Such as: > > SSH_CLIENT_CERT > SSH_CLIENT_CERT_ID > SSH_CLIENT_CERT_PRINCIPALS > > SSH_CLIENT_PUBKEY > SSH_CLIENT_PUBKEY_FINGERPRINT > > Some of that information available in logs but not inside the session. > Is there good reason why it's not implemented yet? > Do i need to hold myself from writing it? =)Hello, very similar thing was already implemented by and waits for review, more use cases or higher interest by users: https://bugzilla.mindrot.org/show_bug.cgi?id=2408 This creates variables SSH_USER_AUTH which contains all the successfully used authentication methods with all the needed information. It also provides configuration options to expose these information to PAM (for possible additional authentication methods outside of SSH) or to user session. Rather than implementing something new, it would be better to work on improving this feature to suit your needs and merging it upstream. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
Anton Worshevsky
2017-May-04 16:45 UTC
sshd: SSH_CLIENT_CERT and SSH_CLIENT_PUBKEY env variables
On Wed, 26 Apr 2017 10:52:07 +0200 Jakub Jelen <jjelen at redhat.com> wrote: JJ> > There are environment variables SSH_CLIENT and SSH_CONNECTION JJ> > with information about client of current session. JJ> > JJ> > I want to implement new variables with info about credentials used for session authentication. JJ> > Such as: JJ> > JJ> > SSH_CLIENT_CERT JJ> > SSH_CLIENT_CERT_ID JJ> > SSH_CLIENT_CERT_PRINCIPALS JJ> > JJ> > SSH_CLIENT_PUBKEY JJ> > SSH_CLIENT_PUBKEY_FINGERPRINT JJ> > JJ> > Some of that information available in logs but not inside the session. JJ> > Is there good reason why it's not implemented yet? JJ> > Do i need to hold myself from writing it? =) JJ> JJ> very similar thing was already implemented by and waits for review, more JJ> use cases or higher interest by users: JJ> JJ> https://bugzilla.mindrot.org/show_bug.cgi?id=2408 JJ> JJ> This creates variables SSH_USER_AUTH which contains all the successfully JJ> used authentication methods with all the needed information. It also JJ> provides configuration options to expose these information to PAM (for JJ> possible additional authentication methods outside of SSH) or to user JJ> session. JJ> JJ> Rather than implementing something new, it would be better to work on JJ> improving this feature to suit your needs and merging it upstream. Thank you for pointing me to the right direction. After reading the patch I see now it's not so easy because of privilege separation. Also PAM support will be usable in much more use cases. I can not provide a review from security standpoint, but I plan to test shell use case and enhance it if needed. My use case: Use sshd for authentication but expose verified pubkey/certificate to API server application for sophisticated authorization by role based access control. PAM is not used by several reasons. Regards, -- Anton Worshevsky -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170504/b2fb89f1/attachment.bin>