Bug#740494: openssh-server: Additional arguments for AuthorizedKeysCommand
On Sun, Mar 02, 2014 at 12:38:18PM +0100, Florian Zimmermann wrote:
> I would like sshd to pass some more arguments to the AuthorizedKeysCommand
> in order to print the authorized keys in a more intelligent manner.
>
> I was thinking of the Github case, i.e. lots of "real" users want to
> authenticate as the git user, which is currently not feasable because the only
> argument to the AuthorizedKeysCommand is the username being authenticated,
> which is "git" for everybody. To allow everyone to authenticate as the git
> user, the AuthorizedKeysCommand has to print all the public keys of all the
> "real" users to standard output and sshd in turn has to parse all those keys
> and match them against the key that is used for authentication.
>
> This patch passes two additional arguments to the AuthorizedKeysCommand:
> - the type of the key used for authentication, e.g. "ssh-rsa",
> - the MD5 fingerprint of the key used for authentication
>
> This allows the AuthorizedKeysCommand to print only a small subset of the
> public keys.
>
> I also submitted this patch to upstream:
> https://bugzilla.mindrot.org/show_bug.cgi?id=2081
Thanks for the patch. Just by way of setting expectations, I wouldn't
take this kind of interface change as a Debian patch because there's too
much risk that upstream would later introduce it in a slightly different
form and then I'd be stuck with a compatibility problem. I'd prefer to
wait for upstream.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: