patch to send incoming key to AuthorizedKeysCommand via stdin

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Friday, March 21, 2014, Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> wrote:
>
> On 03/21/2014 02:54 AM, Marc Haber wrote:
> > I would not do that in stdin as this precludes many standard commands
> > from being used here. How about environment variables for key,
> > fingerprint and probably comment?
>
> If you have the key, you don't need the fingerprint.
>
> Given that, i think authorizedkeyscommand only needs access to the key.

The problem with passing the key in an environment variable is a
potential for overflowing the available space (see the "limits on size
of arguments and environment" section on
http://man7.org/linux/man-pages/man2/execve.2.html).  Passing the
fingerprint may be a better option. If there is a fingerprint
collision then the AuthorizedKeysCommand can just print out all of
them and leave it up to sshd to find the exact match, which it already
does anyways.

In my use case of this feature I'm already storing the fingerprints
along with the keys in a database and my AuthorizedKeysCommand
performs the lookup based only on the fingerprint. In other words, not
having the full key would be fine. I realize this may not be the case
for everybody but maybe it's good enough?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux