On Wed, 26 Apr 2017 10:52:07 +0200 Jakub Jelen <jjelen@xxxxxxxxxx> wrote: JJ> > There are environment variables SSH_CLIENT and SSH_CONNECTION JJ> > with information about client of current session. JJ> > JJ> > I want to implement new variables with info about credentials used for session authentication. JJ> > Such as: JJ> > JJ> > SSH_CLIENT_CERT JJ> > SSH_CLIENT_CERT_ID JJ> > SSH_CLIENT_CERT_PRINCIPALS JJ> > JJ> > SSH_CLIENT_PUBKEY JJ> > SSH_CLIENT_PUBKEY_FINGERPRINT JJ> > JJ> > Some of that information available in logs but not inside the session. JJ> > Is there good reason why it's not implemented yet? JJ> > Do i need to hold myself from writing it? =) JJ> JJ> very similar thing was already implemented by and waits for review, more JJ> use cases or higher interest by users: JJ> JJ> https://bugzilla.mindrot.org/show_bug.cgi?id=2408 JJ> JJ> This creates variables SSH_USER_AUTH which contains all the successfully JJ> used authentication methods with all the needed information. It also JJ> provides configuration options to expose these information to PAM (for JJ> possible additional authentication methods outside of SSH) or to user JJ> session. JJ> JJ> Rather than implementing something new, it would be better to work on JJ> improving this feature to suit your needs and merging it upstream. Thank you for pointing me to the right direction. After reading the patch I see now it's not so easy because of privilege separation. Also PAM support will be usable in much more use cases. I can not provide a review from security standpoint, but I plan to test shell use case and enhance it if needed. My use case: Use sshd for authentication but expose verified pubkey/certificate to API server application for sophisticated authorization by role based access control. PAM is not used by several reasons. Regards, -- Anton Worshevsky
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev