Re: identifying [DR]SA key used for ssh key-based login
On Mon, Mar 10, 2003 at 11:35:50PM +0100, martin f krafft wrote:
> also sprach Colin Watson <cjwatson@debian.org> [2003.03.10.1454 +0100]:
> > Set 'LogLevel VERBOSE' in /etc/ssh/sshd_config and the key fingerprint
> > will be syslogged. (This currently doesn't work for RSA1 keys due to a
> > bug in privilege separation.)
>
> only DSA keys being used, so no problem.
>
> this is one step closer, but it's not really that great. the reason
> why i want to enable it is because i want one unprivileged account to
> do a certain task, and i would like to use the SSH key used to log in
> to establish the security context of the task.
Oh, I see. Then you should use a forced command in
~/.ssh/authorized_keys, establishing the security context on the server
side. For example, my dynamic DNS is set up using a passphraseless key
and this line in the authorized_keys file on the server side:
command="userv dyndns dyndns dynamic.greenend.org.uk riva",no-pty,no-port-forwarding 1024 35 ...
(I could probably add some more restrictions in there.)
The sshd(8) man page describes the format of authorized_keys.
> does anyone here have a connection into the OpenSSH team and could
> forward a feature request? i'd prefer not to enlist with the mailing
> list...
There are a lot of bugs against ssh in the Debian BTS, but I do forward
bugs filed there to upstream as I get time.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: