Bug 2712

Summary: Add fingerprint of key used for public key authentication to PAM handle
Product: Portable OpenSSH Reporter: Sebastian Roland <seroland86>
Component: PAM supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED DUPLICATE    
Severity: enhancement CC: djm, jjelen
Priority: P5    
Version: -current   
Hardware: All   
OS: Linux   

Description Sebastian Roland 2017-05-07 08:39:02 AEST 
I have developed a PAM module that creates the authorized_keys file from X.509 certificates obtained from LDAP. If specified there are cases where public keys from user a,b,...,n are synced into the authorized_keys file of user x. Right now I don't have any possibility to figure out which actual user has now logged in on behalf of user x.

A solution to this problem is that OpenSSH makes the fingerprint of the key that has been (succesfully) used during public key authentication available within the PAM space (pam_set_data() / pam_putenv()).

In this case one could hook in another PAM module e.g. for session management that obtains the fingerprint and work with it (e.g. mapping to user and making it available in user environment).
Comment 1 Jakub Jelen 2017-05-09 16:46:41 AEST 
This is basically a subset of what is already implemented in the bug #2408 [1].

I would rather focus on merging one of the implementation than creating three different. It is the third time I hear about similar requests so I believe it would be a good thing to settle on some solution upstream.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2408
Comment 2 Damien Miller 2018-04-06 14:09:25 AEST 
Configuration

*** This bug has been marked as a duplicate of bug 2408 ***
Comment 3 Damien Miller 2021-04-23 14:57:00 AEST 
closing resolved bugs as of 8.6p1 release