[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: identifying [DR]SA key used for ssh key-based login

On Mon, Mar 10, 2003 at 11:35:50PM +0100, martin f krafft wrote:
> also sprach Colin Watson <cjwatson@debian.org> [2003.03.10.1454 +0100]:
> > Set 'LogLevel VERBOSE' in /etc/ssh/sshd_config and the key fingerprint
> > will be syslogged. (This currently doesn't work for RSA1 keys due to a
> > bug in privilege separation.)
> 
> only DSA keys being used, so no problem.
> 
> this is one step closer, but it's not really that great. the reason
> why i want to enable it is because i want one unprivileged account to
> do a certain task, and i would like to use the SSH key used to log in
> to establish the security context of the task.

Oh, I see. Then you should use a forced command in
~/.ssh/authorized_keys, establishing the security context on the server
side. For example, my dynamic DNS is set up using a passphraseless key
and this line in the authorized_keys file on the server side:

  command="userv dyndns dyndns dynamic.greenend.org.uk riva",no-pty,no-port-forwarding 1024 35 ...

(I could probably add some more restrictions in there.)

The sshd(8) man page describes the format of authorized_keys.

> does anyone here have a connection into the OpenSSH team and could
> forward a feature request? i'd prefer not to enlist with the mailing
> list...

There are a lot of bugs against ssh in the Debian BTS, but I do forward
bugs filed there to upstream as I get time.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
Reply to: