On Friday, March 21, 2014, Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> wrote: > > On 03/21/2014 02:54 AM, Marc Haber wrote: > > I would not do that in stdin as this precludes many standard commands > > from being used here. How about environment variables for key, > > fingerprint and probably comment? > > If you have the key, you don't need the fingerprint. > > Given that, i think authorizedkeyscommand only needs access to the key. The problem with passing the key in an environment variable is a potential for overflowing the available space (see the "limits on size of arguments and environment" section on http://man7.org/linux/man-pages/man2/execve.2.html). Passing the fingerprint may be a better option. If there is a fingerprint collision then the AuthorizedKeysCommand can just print out all of them and leave it up to sshd to find the exact match, which it already does anyways. In my use case of this feature I'm already storing the fingerprints along with the keys in a database and my AuthorizedKeysCommand performs the lookup based only on the fingerprint. In other words, not having the full key would be fine. I realize this may not be the case for everybody but maybe it's good enough? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
