Displaying 20 results from an estimated 4000 matches similar to: "AuthorizedKeysCommand"
2013 Jun 09
1
pass fingerprint to authorizedkeyscommand
Hi guys,
It might be nice if AuthorizedKeysCommand would receive the fingerprint of
the offered key as an argument, so that programs like gitolite could
implement more refined key-based identity lookup that offers better
performance than AuthorizedKeysFile's linear scan.
The following patch is untested but is the basic idea:
diff -ru openssh-6.2p1/auth2-pubkey.c
2012 Nov 20
4
Connection info with AuthorizedKeysCommand
I see that support for AuthorizedKeysCommand has been added. The
arguments supplied to the command is just the authenticating user. Can
we add the SSH connection details (ie. source and destination IPs and
ports) as well?
This command seems to be the idea way of requiring one set of
credentials from inside an organisation (say the user's own
authorized_keys file) and another set from outside
2012 Oct 31
5
AuthorizedKeysCommand support added
Hi,
I just commited the patch on https://bugzilla.mindrot.org/b/1663 It adds
an AuthorizedKeysCommand option to sshd_config to use helper program to
fetch a user's authorized keys. Quite a few people have asked for this
to allow storage of public keys in LDAP or other databases.
The program is executed (directly, not via the shell) with a single
argument of the user being logged in. It
2016 Jul 09
2
SSH multi factor authentication
On Thu, Jul 7, 2016 at 10:00 AM, Bruce F Bading <badingb at us.ibm.com> wrote:
>
> Hi Gentlemen,
>
> Thank you both for your valued opinion. I do however agree that public key
> authentication cannot be fully considered MFA as have 2 PCI QSAs I have
> spoken with. This is because it is not enforceable server side. Many
> things can affect client side security.
>
2014 Feb 05
1
Make SSH_ORIGINAL_COMMAND available in AuthorizedKeysCommand context
Hi
Using SSH_ORIGINAL_COMMAND in AuthorizedKeys is so helpful, I'd like to
know if it might be possible to access it in the AuthorizedKeysCommand
context (via env ?). Is this possible ? can anybody give me advice on
going into this ?
If possible, I'll use this SSH_ORIGINAL_COMMAND to send client specifics
information to the AuthorizedKeysCommand script. Currently, the only
alternative
2013 Apr 04
2
AuthorizedKeysCommand question
Hi,
is there a particular reason why this feature is "user" based and not
"user-pubkey" based?
What I mean is that it works for installation with small number of pubkeys
per user.
But imagine i.e. a GitHub scale - all users logging in as user "git". On
each auth request all the keys from database would be fetched and feeded to
OpenSSH.
Now I am only asking this out
2019 Mar 07
2
Dynamically allow users with OpenSSH?
Peter and Jason, thanks for your replies on this.
I was able to accomplish this with a combination of Peter's solution
and setting "AuthorizedKeysFile none" as suggested in the Stack
Overflow question.
On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote:
>
> why aren't the authorized keys/principals commands sufficient?
>
> $ getent group
2013 Jun 19
4
AuthorizedKeysCommand idea
Hi,
I've been kicking this idea around, and the problem with it escapes
me. I'm looking for someone to tell me why this is a bad idea.
The new OpenSSH includes the AuthorizedKeysCommand, which was mostly
added to let people use a command to look up user keys in LDAP.
LDAP key lookup have some limitations -- specifically, the common
openssh-lpk_openldap schema won't let you add
2019 Mar 06
3
Dynamically allow users with OpenSSH?
Hello, how can I dynamically allow or disallow users with OpenSSH? I
have some nodes that users can submit jobs to, and can optionally be
handed a session to the requested node. But I want to prevent them
from SSH-ing in to nodes unless they have a job running on that node.
My idea was to implement libssh's callback abilities and have a script
that checks the username against jobs running on
2019 May 20
4
Authenticate against key files before AuthorizedKeysCommand
Hello,
Currently OpenSSH has a fixed order on how the key authenticates the
user: at first it tries to authenticate against TrustedUserCAKeys,
afterwards it does it against the output keys from the
AuthorizedKeysCommand and finally against the files as set in
AuthorizedKeysFile. I have an use-case where this order is not ideal.
This is because in my case the command fetches keys from the cloud
2013 Oct 17
10
[Bug 2161] New: AuthorizedKeysCommand is not executed when defined inside Match block
https://bugzilla.mindrot.org/show_bug.cgi?id=2161
Bug ID: 2161
Summary: AuthorizedKeysCommand is not executed when defined
inside Match block
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
2016 Jul 09
2
SSH multi factor authentication
On Sat, Jul 9, 2016 at 10:30 AM, Ben Lindstrom <mouring at eviladmin.org> wrote:
> You'd do this by either moving the authorized_keys to another a root owned
> location using "AuthorizedKeysFile" (e.g. AuthorizedKeysFile
> /etc/ssh/keys/authorized_keys.%u). Or you use "AuthorizedKeysCommand" and
> put the keys into a "database" to reference
2023 Nov 12
1
Match Principal enhancement
AFAIK everything you described here could be done using the
AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These
can emit authorized_keys options (inc. permitopen) as well as the allowed
keys/principals.
On Sun, 12 Nov 2023, Bret Giddings wrote:
> Hi OpenSSH devs,
>
> I?m wondering if the following has any merit and can be done securely ...
>
> If you could
2023 Nov 12
1
Match Principal enhancement
Hi OpenSSH devs,
I?m wondering if the following has any merit and can be done securely ...
If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like
/etc/ssh/authorized_keys/sshfwd:
cert-authority,principals=?batcha-fwd,batchb-fwd? ...
/etc/ssh/sshd_config containing:
Match User sshfwd
PubkeyAuthentication yes
2012 Nov 13
1
problem with AuthorizedKeysCommand on OpenBSD
Hi,
I'm attempting to test the AuthorizedKeysCommand feature with the new
port of ssh-ldap-wrapper to OpenBSD. I'm running yesterday's
OpenBSD-current i386 snapshot, which includes AuthorizedKeysCommand.
The port of ssh-ldap-helper (at
http://old.nabble.com/-new--ssh-ldap-helper-td34667413.html) contains
all the bits I need, and the individual pieces appear to work once
configured:
2020 Jun 03
7
Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source
I don't see a way to do this currently (unless I am missing something)
but I would like to be able to specify, that in order for a user to
login, they need to use at least 1 public key from 2 separate key
sources.? Specifically this would be when using "AuthenticationMethods
publickey,publickey".? Right now requiring 2 public keys for
authentication will allow 2 public keys from
2014 Jun 27
1
Using AuthorizedKeysCommand in unprivileged sshd mode
Hi,
I have a setup in which I run sshd as unprivileged user at dedicated port
to serve specific application.
It is working perfectly!
One tweak I had to do, since the AuthorizedKeysCommand feature requires
file to be owned by root, I had to use root owned command at root owned
directory, although it does not add a security value.
At auth2-pubkey.c::user_key_command_allowed2(), we have the
2014 May 30
2
AuthorizedKeysCommand run as the user
Is there any way to make the AuthorizedKeysCommand as the user which is trying
to log in?
Thanks.
--
Yves.
2014 Mar 20
2
patch to send incoming key to AuthorizedKeysCommand via stdin
Hi all,
I'm new to the list, so please forgive me if this is duplicated effort.
I have created a patch for openssh which modifies the AuthorizedKeysCommand
directive so that the incoming user's public key is sent to the specified
program via stdin. This provides a means to identify the connecting user
based solely on their public key and not just by the username.
The inspiration for
2013 Oct 22
2
[Proposal] Add ability to read authorized keys from shell script instead of file
File authorized_keys is unusable for mass key storage and manipulation. I
wan to store keys in something like mysql server, but It will add big
unwanted dependency to package. What if we use auth_rsa.c but instead
search in file send key to some script and read sigle return value if key
finded and empty if not. I think it will be very customizable.
--
With Best Regards,
Constantine