On Tue, 2 Jun 2015, Gy?rgy Demarcsek Ifj. wrote: > Dear OpenSSH Developers, > > I would like to propose a patch to OpenSSH for Linux. In the recent few > months, I have encountered a scenario where a PAM module used for > authentication in SSH should be informed about the previous successful > authentication methods. I described the complete scenario here: > http://serverfault.com/questions/690038/openssh-two-factor-authentication-combined-with-kerberos-public-key I've wanted to expose more information about how the user authenticated to the environment for a while, but I think that if we do it then we should include (at least) key fingerprints too. Something like: SSH_USER_AUTH=hostbased RSA SHA256:Iw75Ex+Re8WyIjqHEukxHtwz2weTFTBLPD2J9doYEfU, publickey CA ED25519 SHA256:rLKEbjpoN2+kuMQB7EiPqaeHut65ZfSe/z1EaWtKEmk Cert ID djm@xxxxxxxxxxx Serial 27908739, password We could probably expose this to PAM as well, as SSH_COMPLETED_AUTH or similar. Could you please file a bug at https://bugzilla.mindrot.org/ to track this feature? -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
