Hi, I'm not quite sure this this is the right place to propose this patch. If there is better place, could you hint me where to propose it ? Thanks, On Fri, 9 Nov 2018 at 16:06, Jean-Tiare LE BIGOT < jean-tiare.le-bigot@xxxxxxxxxxxx> wrote: > We can already inject 'from=' restrictions in the output of > ``AuthorizedKeyCommand`` but we can not change the behavior of this > command based on the source address. > > With the source address, it is possible for example to build a "Trust on > first use" mechanism similar to the ``StrictHostKeyChecking=accept-new`` > > This is useful in scenarios where a cluster of computers is > automatically provisioned in a trusted environment and then sent in the > field. > > Signed-off-by: Jean-Tiare Le Bigot <jean-tiare.le-bigot@xxxxxxxxxxxx> > --- > auth2-pubkey.c | 1 + > sshd_config.5 | 4 +++- > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/auth2-pubkey.c b/auth2-pubkey.c > index 2fb5950e..b61706e8 100644 > --- a/auth2-pubkey.c > +++ b/auth2-pubkey.c > @@ -933,6 +933,7 @@ user_key_command_allowed2(struct ssh *ssh, struct > passwd *user_pw, > "t", sshkey_ssh_name(key), > "f", key_fp, > "k", keytext, > + "a", ssh_remote_ipaddr(ssh), > (char *)NULL); > if (tmp == NULL) > fatal("%s: percent_expand failed", __func__); > diff --git a/sshd_config.5 b/sshd_config.5 > index c6484370..61dd180c 100644 > --- a/sshd_config.5 > +++ b/sshd_config.5 > @@ -1773,10 +1773,12 @@ The key or certificate type. > The numeric user ID of the target user. > .It %u > The username. > +.It %a > +The connection source IP address. > .El > .Pp > .Cm AuthorizedKeysCommand > -accepts the tokens %%, %f, %h, %k, %t, %U, and %u. > +accepts the tokens %%, %f, %h, %k, %t, %U, %u and %a. > .Pp > .Cm AuthorizedKeysFile > accepts the tokens %%, %h, %U, and %u. > -- > 2.17.1 > -- Jean-Tiare Le Bigot _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev