Attachment #2416 for bug #2081




	struct stat st;
	int status, devnull, p[2], i;
	pid_t pid;
	long len;
	char *username, *keytext, errmsg[512];

	if (options.authorized_keys_command == NULL ||
	    options.authorized_keys_command[0] != '/')

	case 0: /* child */
		for (i = 0; i < NSIG; i++)
			signal(i, SIG_DFL);

		setenv(SSH_KEY_FINGERPRINT_ENV_NAME,
			key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), 1);

		if ((f = tmpfile()) == NULL) {
			error("%s: tmpfile: %s", __func__, strerror(errno));
			_exit(1);
		}
		if (!key_write(key, f)) {
			error("%s: key_write: %s", __func__, strerror(errno));
			_exit(1);
		}
		if ((len = ftell(f)) == -1) {
			error("%s: ftell: %s", __func__, strerror(errno));
			_exit(1);
		}
		if ((keytext = xmalloc(len + 1)) == NULL) {
			error("%s: xmalloc: %s", __func__, strerror(errno));
			_exit(1);
		}
		if ((fseek(f, 0, SEEK_SET)) != 0) {
			error("%s: fseek: %s", __func__, strerror(errno));
			_exit(1);
		}
		if (fread(keytext, 1, len, f) != len) {
			error("%s: fread: %s", __func__, strerror(errno));
			_exit(1);
		}
		keytext[len] = '\0';
		fclose(f);
		setenv(SSH_KEY_ENV_NAME, keytext, 1);

		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
			error("%s: open %s: %s", __func__, _PATH_DEVNULL,





/* Listen backlog for sshd, ssh-agent and forwarding sockets */
#define SSH_LISTEN_BACKLOG		128

/*
 * Name of the environment variable containing the incoming key passed
 * to AuthorizedKeysCommand.
 */
#define SSH_KEY_ENV_NAME "SSH_KEY"

/*
 * Name of the environment variable containing the incoming key fingerprint
 * passed to AuthorizedKeysCommand.
 */
#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT"

Lines 203-208 Link Here

(-)sshd_config.5 (+5 lines)
203	being authenticated, and should produce on standard output zero or	203	being authenticated, and should produce on standard output zero or
204	more lines of authorized_keys output (see AUTHORIZED_KEYS in	204	more lines of authorized_keys output (see AUTHORIZED_KEYS in
205	.Xr sshd 8 ) .	205	.Xr sshd 8 ) .
		206	The key being used for authentication (the key's type and the key text itself,
		207	separated by a space) will be available in the
		208	.Ev SSH_KEY
		209	environment variable, and the fingerprint of the key will be available in the
		210	.Ev SSH_KEY_FINGERPRINT environment variable.
206	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	211	If a key supplied by AuthorizedKeysCommand does not successfully authenticate
207	and authorize the user then public key authentication continues using the usual	212	and authorize the user then public key authentication continues using the usual
208	.Cm AuthorizedKeysFile	213	.Cm AuthorizedKeysFile

Return to bug 2081

Lines 509-515 Link Here

(-)auth2-pubkey.c (-1 / +33 lines)
509	struct stat st;	509	struct stat st;
510	int status, devnull, p[2], i;	510	int status, devnull, p[2], i;
511	pid_t pid;	511	pid_t pid;
512	char *username, errmsg[512];	512	long len;
		513	char username, keytext, errmsg[512];
513		514
514	if (options.authorized_keys_command == NULL \|\|	515	if (options.authorized_keys_command == NULL \|\|
515	options.authorized_keys_command[0] != '/')	516	options.authorized_keys_command[0] != '/')
Lines 567-572 Link Here
567	case 0: /* child */	568	case 0: /* child */
568	for (i = 0; i < NSIG; i++)	569	for (i = 0; i < NSIG; i++)
569	signal(i, SIG_DFL);	570	signal(i, SIG_DFL);
		571
		572	setenv(SSH_KEY_FINGERPRINT_ENV_NAME,
		573	key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), 1);
		574
		575	if ((f = tmpfile()) == NULL) {
		576	error("%s: tmpfile: %s", __func__, strerror(errno));
		577	_exit(1);
		578	}
		579	if (!key_write(key, f)) {
		580	error("%s: key_write: %s", __func__, strerror(errno));
		581	_exit(1);
		582	}
		583	if ((len = ftell(f)) == -1) {
		584	error("%s: ftell: %s", __func__, strerror(errno));
		585	_exit(1);
		586	}
		587	if ((keytext = xmalloc(len + 1)) == NULL) {
		588	error("%s: xmalloc: %s", __func__, strerror(errno));
		589	_exit(1);
		590	}
		591	if ((fseek(f, 0, SEEK_SET)) != 0) {
		592	error("%s: fseek: %s", __func__, strerror(errno));
		593	_exit(1);
		594	}
		595	if (fread(keytext, 1, len, f) != len) {
		596	error("%s: fread: %s", __func__, strerror(errno));
		597	_exit(1);
		598	}
		599	keytext[len] = '\0';
		600	fclose(f);
		601	setenv(SSH_KEY_ENV_NAME, keytext, 1);
570		602
571	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {	603	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
572	error("%s: open %s: %s", __func__, _PATH_DEVNULL,	604	error("%s: open %s: %s", __func__, _PATH_DEVNULL,

Lines 97-99 Link Here

(-)ssh.h (+12 lines)
97		97
98	/* Listen backlog for sshd, ssh-agent and forwarding sockets */	98	/* Listen backlog for sshd, ssh-agent and forwarding sockets */
99	#define SSH_LISTEN_BACKLOG 128	99	#define SSH_LISTEN_BACKLOG 128
		100
		101	/*
		102	* Name of the environment variable containing the incoming key passed
		103	* to AuthorizedKeysCommand.
		104	*/
		105	#define SSH_KEY_ENV_NAME "SSH_KEY"
		106
		107	/*
		108	* Name of the environment variable containing the incoming key fingerprint
		109	* passed to AuthorizedKeysCommand.
		110	*/
		111	#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT"