similar to: problem with AuthorizedKeysCommand on OpenBSD

Hi, I've been kicking this idea around, and the problem with it escapes me. I'm looking for someone to tell me why this is a bad idea. The new OpenSSH includes the AuthorizedKeysCommand, which was mostly added to let people use a command to look up user keys in LDAP. LDAP key lookup have some limitations -- specifically, the common openssh-lpk_openldap schema won't let you add

Hi, Thought there would be some interest here. I'm writing a small book on OpenSSH. Am now looking for tech reviewers. http://blather.michaelwlucas.com/archives/902 ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlucas at BlackHelicopters.org, Twitter @mwlauthor

Hi, I'm running Samba 4.0.8, on FreeBSD 9.2, from operating system packages, as a DC. I have a BDC, running the same. I'm using a Windows 7 workstation with "Active Directory Users and Computers" snap-in to manage usernames, passwords, etc. The workstation is part of the domain, and I'm logged on as Administrator in the domain. I can create groups and add members to them

Hi, I've recently published a short book on OpenSSH, as part of my "exterminate ALL the passwords" initiative. I'm giving copies to anyone who is interested in writing a review for a blog -- either theirs, or a tech association they're with, or basically anywhere. http://www.michaelwlucas.com/nonfiction/ssh-mastery Please contact me off-list if interested. Thanks, ==ml

Hi folks, Is there any hope for an external source of public keys, such as given in bug 1663? I have dozens of servers, and I have to patch sshd on the vast majority of them. OpenSSH is a BSD program, but the BSD boxes are the most difficult to manage because of this. Thanks, ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery

Hi, I have a setup in which I run sshd as unprivileged user at dedicated port to serve specific application. It is working perfectly! One tweak I had to do, since the AuthorizedKeysCommand feature requires file to be owned by root, I had to use root owned command at root owned directory, although it does not add a security value. At auth2-pubkey.c::user_key_command_allowed2(), we have the

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud

https://bugzilla.mindrot.org/show_bug.cgi?id=2092 Bug ID: 2092 Summary: AuthorizedKeysCommand: bad ownership or modes for file Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: amd64 OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd

Is there any way to make the AuthorizedKeysCommand as the user which is trying to log in? Thanks. -- Yves.

https://bugzilla.mindrot.org/show_bug.cgi?id=2161 Bug ID: 2161 Summary: AuthorizedKeysCommand is not executed when defined inside Match block Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd

Hi, I just commited the patch on https://bugzilla.mindrot.org/b/1663 It adds an AuthorizedKeysCommand option to sshd_config to use helper program to fetch a user's authorized keys. Quite a few people have asked for this to allow storage of public keys in LDAP or other databases. The program is executed (directly, not via the shell) with a single argument of the user being logged in. It

https://bugzilla.mindrot.org/show_bug.cgi?id=3574 Bug ID: 3574 Summary: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set Product: Portable OpenSSH Version: 9.3p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component:

Hi, I installed Wine 20050111 on my FreeBSD 6-current (freshly updated yesterday afternoon) to play SimCity 2000. Whenever I start the program with "wine SIMCITY.EXE", the various start-up pop-ups appear, as well as the dialog asking if you want to start a new city, open an old city, etc. I get the side toolbar. The main window where you play the game is never drawn, however; it

https://bugzilla.mindrot.org/show_bug.cgi?id=2287 Bug ID: 2287 Summary: AuthorizedKeysCommandUser should have it's default documented Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component:

I see that support for AuthorizedKeysCommand has been added. The arguments supplied to the command is just the authenticating user. Can we add the SSH connection details (ie. source and destination IPs and ports) as well? This command seems to be the idea way of requiring one set of credentials from inside an organisation (say the user's own authorized_keys file) and another set from outside

Hi guys, It might be nice if AuthorizedKeysCommand would receive the fingerprint of the offered key as an argument, so that programs like gitolite could implement more refined key-based identity lookup that offers better performance than AuthorizedKeysFile's linear scan. The following patch is untested but is the basic idea: diff -ru openssh-6.2p1/auth2-pubkey.c

Hi Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful, I'd like to know if it might be possible to access it in the AuthorizedKeysCommand context (via env ?). Is this possible ? can anybody give me advice on going into this ? If possible, I'll use this SSH_ORIGINAL_COMMAND to send client specifics information to the AuthorizedKeysCommand script. Currently, the only alternative

https://bugzilla.mindrot.org/show_bug.cgi?id=2367 Bug ID: 2367 Summary: AuthorizedKeysCommand add key fingerprint as second argument Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: FreeBSD Status: NEW Severity: enhancement Priority: P5 Component: sshd

Hi all, I'm new to the list, so please forgive me if this is duplicated effort. I have created a patch for openssh which modifies the AuthorizedKeysCommand directive so that the incoming user's public key is sent to the specified program via stdin. This provides a means to identify the connecting user based solely on their public key and not just by the username. The inspiration for

I'm running into issues with AuthorizedKeysCommand when the sum of the size of the public keys become bigger than ~ 12 KB. I created a bash script that runs #!/bin/bash curl -s --compressed http://someurl.example.com/pubkeys/$1 and am getting "error: returned status 23". CURLE_WRITE_ERROR (23): An error occurred when writing received data to a local file, or an error