Re: patch to send incoming key to AuthorizedKeysCommand via stdin

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 03/20/2014 03:58 PM, Scott Duckworth wrote:
> I have created a patch for openssh which modifies the AuthorizedKeysCommand
> directive so that the incoming user's public key is sent to the specified
> program via stdin.  This provides a means to identify the connecting user
> based solely on their public key and not just by the username.

This sounds like a good approach to me; you're not the first person to
consider this, but i like the semantics of your proposal better than
other proposals i've seen.  Could you provide the patch against the
mainline as an attachment to:

https://bugzilla.mindrot.org/show_bug.cgi?id=2081

with a brief comment about how what you've done is different from what's
there already?

> The patches for different openssh versions can be found at
> https://bitbucket.org/ClemsonSoCUnix/django-sshkey.  The README.md file
> describes some caveats, including the possibility for deadlock if the
> command specified with AuthorizedKeysCommand does not fully consume or
> close its standard input.

This is worrisome.  sshd itself shouldn't be adversely affected by
subcommand failing to process the data in any way.  Do you see any way
to make sshd more robust in this case?  (e.g. what if the key was
provided as another command line parameter instead of stdin)

Regards,

	--dkg

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux