Attachment #2412 for bug #2081

Lines 509-515 Link Here

(-)auth2-pubkey.c (-4 / +15 lines)
509	struct stat st;	509	struct stat st;
510	int status, devnull, p[2], i;	510	int status, devnull, p[2], i;
511	pid_t pid;	511	pid_t pid;
512	char *username, errmsg[512];	512	char username, errmsg[512], key_fp;
		513	const char *key_type_name;
513		514
514	if (options.authorized_keys_command == NULL \|\|	515	if (options.authorized_keys_command == NULL \|\|
515	options.authorized_keys_command[0] != '/')	516	options.authorized_keys_command[0] != '/')
Lines 549-556 Link Here
549	goto out;	550	goto out;
550	}	551	}
551		552
552	debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",	553	key_type_name = key_ssh_name(key);
553	options.authorized_keys_command, user_pw->pw_name, pw->pw_name);	554	if (key_type_name == NULL)
		555	key_type_name = "ssh-unknown";
		556
		557	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		558
		559	debug3("Running AuthorizedKeysCommand: \"%s %s %s %s\" as \"%s\"",
		560	options.authorized_keys_command, user_pw->pw_name,
		561	key_type_name, key_fp, pw->pw_name);
554		562
555	/*	563	/*
556	* Don't want to call this in the child, where it can fatal() and	564	* Don't want to call this in the child, where it can fatal() and
Lines 563-568 Link Here
563	error("%s: fork: %s", __func__, strerror(errno));	571	error("%s: fork: %s", __func__, strerror(errno));
564	close(p[0]);	572	close(p[0]);
565	close(p[1]);	573	close(p[1]);
		574	free(key_fp);
566	return 0;	575	return 0;
567	case 0: /* child */	576	case 0: /* child */
568	for (i = 0; i < NSIG; i++)	577	for (i = 0; i < NSIG; i++)
Lines 599-605 Link Here
599	}	608	}
600		609
601	execl(options.authorized_keys_command,	610	execl(options.authorized_keys_command,
602	options.authorized_keys_command, user_pw->pw_name, NULL);	611	options.authorized_keys_command, user_pw->pw_name,
		612	key_type_name, key_fp, NULL);
603		613
604	error("AuthorizedKeysCommand %s exec failed: %s",	614	error("AuthorizedKeysCommand %s exec failed: %s",
605	options.authorized_keys_command, strerror(errno));	615	options.authorized_keys_command, strerror(errno));
Lines 611-616 Link Here
611	temporarily_use_uid(pw);	621	temporarily_use_uid(pw);
612		622
613	close(p[1]);	623	close(p[1]);
		624	free(key_fp);
614	if ((f = fdopen(p[0], "r")) == NULL) {	625	if ((f = fdopen(p[0], "r")) == NULL) {
615	error("%s: fdopen: %s", __func__, strerror(errno));	626	error("%s: fdopen: %s", __func__, strerror(errno));
616	close(p[0]);	627	close(p[0]);




.It Cm AuthorizedKeysCommand
Specifies a program to be used to look up the user's public keys.
The program must be owned by root and not writable by group or others.
It will be invoked with three arguments and should produce on standard output
zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in
more lines of authorized_keys output (see AUTHORIZED_KEYS in
.Xr sshd 8 ) .
.Pp
The arguments to the command are:
.Bl -enum -width 1m -offset Ds -compact
.It
the username being authenticated,
.It
the type of the key used for authentication, for example,
.Dq ssh-rsa ,
.Dq ssh-dss ,
.Dq ssh-unknown ,
.It
the MD5 fingerprint of the key used for authentication, for example,
.Dq a5:67:0e:55:e6:ca:fb:e8:38:58:1a:bc:1a:a9:42:be .
.El
.Pp
If a key supplied by AuthorizedKeysCommand does not successfully authenticate
and authorize the user then public key authentication continues using the usual
.Cm AuthorizedKeysFile

Return to bug 2081

Lines 199-208 Link Here

(-)sshd_config.5 (-3 / +17 lines)
199	.It Cm AuthorizedKeysCommand	199	.It Cm AuthorizedKeysCommand
200	Specifies a program to be used to look up the user's public keys.	200	Specifies a program to be used to look up the user's public keys.
201	The program must be owned by root and not writable by group or others.	201	The program must be owned by root and not writable by group or others.
202	It will be invoked with a single argument of the username	202	It will be invoked with three arguments and should produce on standard output
203	being authenticated, and should produce on standard output zero or	203	zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in
204	more lines of authorized_keys output (see AUTHORIZED_KEYS in
205	.Xr sshd 8 ) .	204	.Xr sshd 8 ) .
		205	.Pp
		206	The arguments to the command are:
		207	.Bl -enum -width 1m -offset Ds -compact
		208	.It
		209	the username being authenticated,
		210	.It
		211	the type of the key used for authentication, for example,
		212	.Dq ssh-rsa ,
		213	.Dq ssh-dss ,
		214	.Dq ssh-unknown ,
		215	.It
		216	the MD5 fingerprint of the key used for authentication, for example,
		217	.Dq a5:67:0e:55:e6:ca:fb:e8:38:58:1a:bc:1a:a9:42:be .
		218	.El
		219	.Pp
206	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	220	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
207	and authorize the user then public key authentication continues using the usual	221	and authorize the user then public key authentication continues using the usual
208	.Cm AuthorizedKeysFile	222	.Cm AuthorizedKeysFile