Hey,I use gitolite for git hosting on my server, and because I want to use kerberos authentication I patched OpenSSH to put the name of the kerberos principal name or the ssh fingerprint as environment variables so my ForceCommand script can use them to actually authorize the user by the principal/fingerprint.
It’s a bit annoying to keep my own patch and I thought it might be something that others might find useful too, so I thought I’d send an email to see if there would be any interest in including this upstream.
Both patches are attached, the kerberos principal being made by Sven Geggus, an the pubkey fingerprint one being written by me. Any comments on both would be well appreciated.
-- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
--- gss-serv-krb5.c.orig 2012-07-12 14:33:31.117551679 +0200
+++ gss-serv-krb5.c 2012-07-12 14:34:30.319020970 +0200
@@ -104,6 +104,11 @@
} else
retval = 0;
+#ifdef USE_PAM
+ if (options.use_pam)
+ do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value);
+#endif
+
krb5_free_principal(krb_context, princ);
return retval;
}
--- auth2-pubkey.c 2013-12-31 02:25:41.000000000 +0100
+++ auth2-pubkey.c 2014-08-06 03:08:06.841409407 +0200
@@ -409,6 +409,7 @@
fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(found), fp);
+ do_pam_putenv("SSH_FINGERPRINT", fp);
free(fp);
break;
}
Attachment:
pgpFAv769QGTb.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
