Re: sshd: SSH_CLIENT_CERT and SSH_CLIENT_PUBKEY env variables

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 26 Apr 2017 10:52:07 +0200
Jakub Jelen <jjelen@xxxxxxxxxx> wrote:

JJ> > There are environment variables SSH_CLIENT and SSH_CONNECTION
JJ> > with information about client of current session.
JJ> > 
JJ> > I want to implement new variables with info about credentials used for session authentication.
JJ> > Such as:
JJ> > 
JJ> > SSH_CLIENT_CERT
JJ> > SSH_CLIENT_CERT_ID
JJ> > SSH_CLIENT_CERT_PRINCIPALS
JJ> > 
JJ> > SSH_CLIENT_PUBKEY
JJ> > SSH_CLIENT_PUBKEY_FINGERPRINT
JJ> > 
JJ> > Some of that information available in logs but not inside the session.
JJ> > Is there good reason why it's not implemented yet?
JJ> > Do i need to hold myself from writing it? =)
JJ> 
JJ> very similar thing was already implemented by and waits for review, more 
JJ> use cases or higher interest by users:
JJ> 
JJ> https://bugzilla.mindrot.org/show_bug.cgi?id=2408
JJ> 
JJ> This creates variables SSH_USER_AUTH which contains all the successfully 
JJ> used authentication methods with all the needed information. It also 
JJ> provides configuration options to expose these information to PAM (for 
JJ> possible additional authentication methods outside of SSH) or to user 
JJ> session.
JJ> 
JJ> Rather than implementing something new, it would be better to work on 
JJ> improving this feature to suit your needs and merging it upstream.

Thank you for pointing me to the right direction.

After reading the patch I see now it's not so easy because of privilege separation.
Also PAM support will be usable in much more use cases.
I can not provide a review from security standpoint, 
but I plan to test shell use case and enhance it if needed.

My use case:
Use sshd for authentication
but expose verified pubkey/certificate to API server application
for sophisticated authorization by role based access control.
PAM is not used by several reasons.

Regards,

--

Anton Worshevsky

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux