[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#740494: openssh-server: Additional arguments for AuthorizedKeysCommand

Package: openssh-server
Version: 1:6.5p1-5
Severity: wishlist
Tags: upstream patch

Dear Maintainer,

I would like sshd to pass some more arguments to the AuthorizedKeysCommand
in order to print the authorized keys in a more intelligent manner.

I was thinking of the Github case, i.e. lots of "real" users want to
authenticate as the git user, which is currently not feasable because the only
argument to the AuthorizedKeysCommand is the username being authenticated,
which is "git" for everybody. To allow everyone to authenticate as the git
user, the AuthorizedKeysCommand has to print all the public keys of all the
"real" users to standard output and sshd in turn has to parse all those keys
and match them against the key that is used for authentication.

This patch passes two additional arguments to the AuthorizedKeysCommand:
- the type of the key used for authentication, e.g. "ssh-rsa",
- the MD5 fingerprint of the key used for authentication

This allows the AuthorizedKeysCommand to print only a small subset of the
public keys.

I also submitted this patch to upstream:
https://bugzilla.mindrot.org/show_bug.cgi?id=2081

Cheers
Florian


-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-486
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser              3.113+nmu3
ii  dpkg                 1.16.12
ii  init-system-helpers  1.17
ii  libc6                2.13-38+deb7u1
ii  libcomerr2           1.42.5-1.1
ii  libgssapi-krb5-2     1.10.1+dfsg-5+deb7u1
ii  libkrb5-3            1.10.1+dfsg-5+deb7u1
ii  libpam-modules       1.1.3-7.1
ii  libpam-runtime       1.1.3-7.1
ii  libpam0g             1.1.3-7.1
ii  libselinux1          2.1.9-5
ii  libssl1.0.0          1.0.1e-2+deb7u4
ii  libwrap0             7.6.q-24
ii  lsb-base             4.1+Debian8+deb7u1
ii  openssh-client       1:6.5p1-5
ii  openssh-sftp-server  1:6.5p1-5
ii  procps               1:3.3.3-3
ii  zlib1g               1:1.2.7.dfsg-13

Versions of packages openssh-server recommends:
ii  ncurses-term  5.9-10
ii  xauth         1:1.0.7-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- no debconf information

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 7c56927..9203f53 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -512,7 +512,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 	struct stat st;
 	int status, devnull, p[2], i;
 	pid_t pid;
-	char *username, errmsg[512];
+	char *username, errmsg[512], *key_fp;
+	const char *key_type_name;
 
 	if (options.authorized_keys_command == NULL ||
 	    options.authorized_keys_command[0] != '/')
@@ -552,8 +553,15 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 		goto out;
 	}
 
-	debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
-	    options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
+	key_type_name = key_ssh_name(key);
+	if (key_type_name == NULL)
+		key_type_name = "ssh-unknown";
+
+	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+
+	debug3("Running AuthorizedKeysCommand: \"%s %s %s %s\" as \"%s\"",
+	    options.authorized_keys_command, user_pw->pw_name,
+	    key_type_name, key_fp, pw->pw_name);
 
 	/*
 	 * Don't want to call this in the child, where it can fatal() and
@@ -566,6 +574,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 		error("%s: fork: %s", __func__, strerror(errno));
 		close(p[0]);
 		close(p[1]);
+		free(key_fp);
 		return 0;
 	case 0: /* child */
 		for (i = 0; i < NSIG; i++)
@@ -602,7 +611,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 		}
 
 		execl(options.authorized_keys_command,
-		    options.authorized_keys_command, user_pw->pw_name, NULL);
+		    options.authorized_keys_command, user_pw->pw_name,
+		    key_type_name, key_fp, NULL);
 
 		error("AuthorizedKeysCommand %s exec failed: %s",
 		    options.authorized_keys_command, strerror(errno));
@@ -614,6 +624,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
 	temporarily_use_uid(pw);
 
 	close(p[1]);
+	free(key_fp);
 	if ((f = fdopen(p[0], "r")) == NULL) {
 		error("%s: fdopen: %s", __func__, strerror(errno));
 		close(p[0]);
diff --git a/sshd_config.0 b/sshd_config.0
index 5962b02..a7b9d3b 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -107,14 +107,22 @@ DESCRIPTION
      AuthorizedKeysCommand
              Specifies a program to be used to look up the user's public keys.
              The program must be owned by root and not writable by group or
-             others.  It will be invoked with a single argument of the
-             username being authenticated, and should produce on standard
-             output zero or more lines of authorized_keys output (see
-             AUTHORIZED_KEYS in sshd(8)).  If a key supplied by
-             AuthorizedKeysCommand does not successfully authenticate and
-             authorize the user then public key authentication continues using
-             the usual AuthorizedKeysFile files.  By default, no
-             AuthorizedKeysCommand is run.
+             others.  It will be invoked with three arguments and should
+             produce on standard output zero or more lines of authorized_keys
+             output (see AUTHORIZED_KEYS in sshd(8)).
+
+             The arguments to the command are:
+                   1. the username being authenticated,
+                   2. the type of the key used for authentication, for example,
+                      ``ssh-rsa'', ``ssh-dss'', ``ssh-unknown'',
+                   3. the MD5 fingerprint of the key used for authentication,
+                      for example,
+                      ``a5:67:0e:55:e6:ca:fb:e8:38:58:1a:bc:1a:a9:42:be''.
+
+             If a key supplied by AuthorizedKeysCommand does not successfully
+             authenticate and authorize the user then public key authentication
+             continues using the usual AuthorizedKeysFile files.  By default,
+             no AuthorizedKeysCommand is run.
 
      AuthorizedKeysCommandUser
              Specifies the user under whose account the AuthorizedKeysCommand
diff --git a/sshd_config.5 b/sshd_config.5
index 496530b..62e7711 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -224,10 +224,24 @@ of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
 The program must be owned by root and not writable by group or others.
-It will be invoked with a single argument of the username
-being authenticated, and should produce on standard output zero or
-more lines of authorized_keys output (see AUTHORIZED_KEYS in
+It will be invoked with three arguments and should produce on standard output
+zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in
 .Xr sshd 8 ) .
+.Pp
+The arguments to the command are:
+.Bl -enum -width 1m -offset Ds -compact
+.It
+the username being authenticated,
+.It
+the type of the key used for authentication, for example,
+.Dq ssh-rsa ,
+.Dq ssh-dss ,
+.Dq ssh-unknown ,
+.It
+the MD5 fingerprint of the key used for authentication, for example,
+.Dq a5:67:0e:55:e6:ca:fb:e8:38:58:1a:bc:1a:a9:42:be .
+.El
+.Pp
 If a key supplied by AuthorizedKeysCommand does not successfully authenticate
 and authorize the user then public key authentication continues using the usual
 .Cm AuthorizedKeysFile
Reply to: