pubkey fingerprint and krb princ name in environment

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hey,

I use gitolite for git hosting on my server, and because I want to use kerberos authentication I patched OpenSSH to put the name of the kerberos principal name or the ssh fingerprint as environment variables so my ForceCommand script can use them to actually authorize the user by the principal/fingerprint.

It’s a bit annoying to keep my own patch and I thought it might be something that others might find useful too, so I thought I’d send an email to see if there would be any interest in including this upstream.

Both patches are attached, the kerberos principal being made by Sven Geggus, an the pubkey fingerprint one being written by me. Any comments on both would be well appreciated.

--
Sincerely,
 Johannes Löthberg
 PGP Key ID: 0x50FB9B273A9D0BB5
 https://theos.kyriasis.com/~kyrias/
--- gss-serv-krb5.c.orig	2012-07-12 14:33:31.117551679 +0200
+++ gss-serv-krb5.c	2012-07-12 14:34:30.319020970 +0200
@@ -104,6 +104,11 @@
 	} else
 		retval = 0;
 
+#ifdef USE_PAM
+        if (options.use_pam)
+             do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value);
+#endif
+
 	krb5_free_principal(krb_context, princ);
 	return retval;
 }
--- auth2-pubkey.c	2013-12-31 02:25:41.000000000 +0100
+++ auth2-pubkey.c	2014-08-06 03:08:06.841409407 +0200
@@ -409,6 +409,7 @@
 			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
 			debug("matching key found: file %s, line %lu %s %s",
 			    file, linenum, key_type(found), fp);
+			do_pam_putenv("SSH_FINGERPRINT", fp);
 			free(fp);
 			break;
 		}

Attachment: pgpFAv769QGTb.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux