Attachment 2416 Details for Bug 2081 – Patch adding environment variables to pass key and fingerprint to AuthorizedKeysCommand

[patch] Patch adding environment variables to pass key and fingerprint to AuthorizedKeysCommand

openssh-akcenv.diff (text/plain), 3.12 KB, created by Scott Duckworth on 2014-03-25 01:29:51 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Scott Duckworth

Created: 2014-03-25 01:29:51 AEDT

Size: 3.12 KB

patch

obsolete

>Index: auth2-pubkey.c
>===================================================================
>RCS file: /cvs/openssh/auth2-pubkey.c,v
>retrieving revision 1.42
>diff -u -r1.42 auth2-pubkey.c
>--- auth2-pubkey.c	31 Dec 2013 01:25:41 -0000	1.42
>+++ auth2-pubkey.c	24 Mar 2014 14:15:52 -0000
>@@ -509,7 +509,8 @@
> 	struct stat st;
> 	int status, devnull, p[2], i;
> 	pid_t pid;
>-	char *username, errmsg[512];
>+	long len;
>+	char *username, *keytext, errmsg[512];
> 
> 	if (options.authorized_keys_command == NULL ||
> 	    options.authorized_keys_command[0] != '/')
>@@ -567,6 +568,37 @@
> 	case 0: /* child */
> 		for (i = 0; i < NSIG; i++)
> 			signal(i, SIG_DFL);
>+
>+		setenv(SSH_KEY_FINGERPRINT_ENV_NAME,
>+			key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), 1);
>+
>+		if ((f = tmpfile()) == NULL) {
>+			error("%s: tmpfile: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+		if (!key_write(key, f)) {
>+			error("%s: key_write: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+		if ((len = ftell(f)) == -1) {
>+			error("%s: ftell: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+		if ((keytext = xmalloc(len + 1)) == NULL) {
>+			error("%s: xmalloc: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+		if ((fseek(f, 0, SEEK_SET)) != 0) {
>+			error("%s: fseek: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+		if (fread(keytext, 1, len, f) != len) {
>+			error("%s: fread: %s", __func__, strerror(errno));
>+			_exit(1);
>+		}
>+		keytext[len] = '\0';
>+		fclose(f);
>+		setenv(SSH_KEY_ENV_NAME, keytext, 1);
> 
> 		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
> 			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
>Index: ssh.h
>===================================================================
>RCS file: /cvs/openssh/ssh.h,v
>retrieving revision 1.78
>diff -u -r1.78 ssh.h
>--- ssh.h	25 Jun 2010 23:50:30 -0000	1.78
>+++ ssh.h	24 Mar 2014 14:15:52 -0000
>@@ -97,3 +97,15 @@
> 
> /* Listen backlog for sshd, ssh-agent and forwarding sockets */
> #define SSH_LISTEN_BACKLOG		128
>+
>+/*
>+ * Name of the environment variable containing the incoming key passed
>+ * to AuthorizedKeysCommand.
>+ */
>+#define SSH_KEY_ENV_NAME "SSH_KEY"
>+
>+/*
>+ * Name of the environment variable containing the incoming key fingerprint
>+ * passed to AuthorizedKeysCommand.
>+ */
>+#define SSH_KEY_FINGERPRINT_ENV_NAME "SSH_KEY_FINGERPRINT"
>Index: sshd_config.5
>===================================================================
>RCS file: /cvs/openssh/sshd_config.5,v
>retrieving revision 1.179
>diff -u -r1.179 sshd_config.5
>--- sshd_config.5	27 Feb 2014 23:01:28 -0000	1.179
>+++ sshd_config.5	24 Mar 2014 14:15:52 -0000
>@@ -203,6 +203,11 @@
> being authenticated, and should produce on standard output zero or
> more lines of authorized_keys output (see AUTHORIZED_KEYS in
> .Xr sshd 8 ) .
>+The key being used for authentication (the key's type and the key text itself,
>+separated by a space) will be available in the
>+.Ev SSH_KEY
>+environment variable, and the fingerprint of the key will be available in the
>+.Ev SSH_KEY_FINGERPRINT environment variable.
> If a key supplied by AuthorizedKeysCommand does not successfully authenticate
> and authorize the user then public key authentication continues using the usual
> .Cm AuthorizedKeysFile

Actions: View | Diff

Attachments on bug 2081: 2412 | 2416 | 2417 | 2438 | 2477 | 2478 | 2479 | 2522 | 2544 | 2545 | 2546 | 2549 | 2556 | 2557