search for: user_key_command_allowed2

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud

Hi. The error message 'AuthorizedKeyCommandUser \"%s\" not found' in user_key_command_allowed2() should inform about non-existing username, not about command. --- auth2-pubkey.c 14 Nov 2012 08:04:02 -0000 1.36 +++ auth2-pubkey.c 14 Feb 2013 16:50:04 -0000 @@ -480,7 +480,7 @@ pw = getpwnam(username); if (pw == NULL) { error("AuthorizedKeyCommandUser \"%s\" not found:...

...user at dedicated port to serve specific application. It is working perfectly! One tweak I had to do, since the AuthorizedKeysCommand feature requires file to be owned by root, I had to use root owned command at root owned directory, although it does not add a security value. At auth2-pubkey.c::user_key_command_allowed2(), we have the following: if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) { error("Unsafe AuthorizedKeysCommand: %s", errmsg); goto out; } This enforce root uid explicitly (...

..._answer_keyallowed: key_from_blob: 0x81973440 debug1: temporarily_use_uid: 32767/32767 (e=0/0) debug3: Running AuthorizedKeysCommand: "/usr/local/libexec/ssh-ldap-wrapper" as "nobody" debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 32767/32767 (e=0/0) debug2: key not found user_key_command_allowed2: dup2: Bad file descriptor AuthorizedKeysCommand /usr/local/libexec/ssh-ldap-wrapper returned status 1 debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1000/1000 (e=0/0) ... Any suggestions, folks? Thanks, ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLu...