Attachment 2412 Details for Bug 2081 – Patch adding two more arguments to the AuthorizedKeysCommand

[patch] Patch adding two more arguments to the AuthorizedKeysCommand

authorized-keys-command.patch (text/plain), 3.17 KB, created by Florian Zimmermann on 2014-02-23 03:24:58 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Florian Zimmermann

Created: 2014-02-23 03:24:58 AEDT

Size: 3.17 KB

patch

obsolete

>Index: auth2-pubkey.c
>===================================================================
>RCS file: /cvs/openssh/auth2-pubkey.c,v
>retrieving revision 1.42
>diff -u -r1.42 auth2-pubkey.c
>--- auth2-pubkey.c	31 Dec 2013 01:25:41 -0000	1.42
>+++ auth2-pubkey.c	22 Feb 2014 15:49:06 -0000
>@@ -509,7 +509,8 @@
> 	struct stat st;
> 	int status, devnull, p[2], i;
> 	pid_t pid;
>-	char *username, errmsg[512];
>+	char *username, errmsg[512], *key_fp;
>+	const char *key_type_name;
> 
> 	if (options.authorized_keys_command == NULL ||
> 	    options.authorized_keys_command[0] != '/')
>@@ -549,8 +550,15 @@
> 		goto out;
> 	}
> 
>-	debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
>-	    options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
>+	key_type_name = key_ssh_name(key);
>+	if (key_type_name == NULL)
>+		key_type_name = "ssh-unknown";
>+
>+	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
>+
>+	debug3("Running AuthorizedKeysCommand: \"%s %s %s %s\" as \"%s\"",
>+	    options.authorized_keys_command, user_pw->pw_name,
>+	    key_type_name, key_fp, pw->pw_name);
> 
> 	/*
> 	 * Don't want to call this in the child, where it can fatal() and
>@@ -563,6 +571,7 @@
> 		error("%s: fork: %s", __func__, strerror(errno));
> 		close(p[0]);
> 		close(p[1]);
>+		free(key_fp);
> 		return 0;
> 	case 0: /* child */
> 		for (i = 0; i < NSIG; i++)
>@@ -599,7 +608,8 @@
> 		}
> 
> 		execl(options.authorized_keys_command,
>-		    options.authorized_keys_command, user_pw->pw_name, NULL);
>+		    options.authorized_keys_command, user_pw->pw_name,
>+		    key_type_name, key_fp, NULL);
> 
> 		error("AuthorizedKeysCommand %s exec failed: %s",
> 		    options.authorized_keys_command, strerror(errno));
>@@ -611,6 +621,7 @@
> 	temporarily_use_uid(pw);
> 
> 	close(p[1]);
>+	free(key_fp);
> 	if ((f = fdopen(p[0], "r")) == NULL) {
> 		error("%s: fdopen: %s", __func__, strerror(errno));
> 		close(p[0]);
>Index: sshd_config.5
>===================================================================
>RCS file: /cvs/openssh/sshd_config.5,v
>retrieving revision 1.178
>diff -u -r1.178 sshd_config.5
>--- sshd_config.5	4 Feb 2014 00:13:18 -0000	1.178
>+++ sshd_config.5	22 Feb 2014 15:49:07 -0000
>@@ -199,10 +199,24 @@
> .It Cm AuthorizedKeysCommand
> Specifies a program to be used to look up the user's public keys.
> The program must be owned by root and not writable by group or others.
>-It will be invoked with a single argument of the username
>-being authenticated, and should produce on standard output zero or
>-more lines of authorized_keys output (see AUTHORIZED_KEYS in
>+It will be invoked with three arguments and should produce on standard output
>+zero or more lines of authorized_keys output (see AUTHORIZED_KEYS in
> .Xr sshd 8 ) .
>+.Pp
>+The arguments to the command are:
>+.Bl -enum -width 1m -offset Ds -compact
>+.It
>+the username being authenticated,
>+.It
>+the type of the key used for authentication, for example,
>+.Dq ssh-rsa ,
>+.Dq ssh-dss ,
>+.Dq ssh-unknown ,
>+.It
>+the MD5 fingerprint of the key used for authentication, for example,
>+.Dq a5:67:0e:55:e6:ca:fb:e8:38:58:1a:bc:1a:a9:42:be .
>+.El
>+.Pp
> If a key supplied by AuthorizedKeysCommand does not successfully authenticate
> and authorize the user then public key authentication continues using the usual
> .Cm AuthorizedKeysFile

Actions: View | Diff

Attachments on bug 2081: 2412 | 2416 | 2417 | 2438 | 2477 | 2478 | 2479 | 2522 | 2544 | 2545 | 2546 | 2549 | 2556 | 2557