Results 1 to 7 of 7

Thread: SSH Keys Command

  1. #1
    Join Date
    Aug 2011
    Beans
    4

    SSH Keys Command

    Hi there,

    So in .ssh/authorized_keys we could set a command path for each key on authorization.

    I know that RedHat server have a global AuthorizedKeysCommand in ssh_config and allow to write an alternative authorization script for ssh.

    Is this possible in Ubuntu server or is planned to be implemented in the near future?
    There are some patches for OpenSSH but is not best solution and it may have security bugs.

    Any idea about this?

    Thanks & Happy New Year!

  2. #2
    Join Date
    Dec 2010
    Beans
    570
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: SSH Keys Command

    Both RedHat and Ubuntu use OpenSSH and have the configuration directive AuthorizedKeysCommand.

  3. #3
    Join Date
    Aug 2011
    Beans
    4

    Re: SSH Keys Command

    Yeah thanks. There just are no any info about this in man and this command is not in config file by default.
    But what i've found in openssh docs is that actually this command allow just to scale authorized_keys file and no more.

    So there is no possibility for this command script to get ssh pub key and do it's own authentication for users.

    For example if a user try to ssh git@host:username/repository ... the command will get only 'git' username and path i think, but no pub key... like github does.

    Is this possible somehow or not?

  4. #4
    Join Date
    Dec 2010
    Beans
    570
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: SSH Keys Command

    I am not sure what you are asking. Are you wanting to have access to directories based on the ssh key that you provide? If this is what you want then ssh is not the tool. ssh is for securely logging in to get a command prompt.

  5. #5
    Join Date
    Aug 2011
    Beans
    4

    Re: SSH Keys Command

    Quote Originally Posted by hawkmage View Post
    I am not sure what you are asking. Are you wanting to have access to directories based on the ssh key that you provide? If this is what you want then ssh is not the tool. ssh is for securely logging in to get a command prompt.
    I just want to do my own ssh pub key lookup from a database and identify the user in the command script, then allow or deny access.

    This could be achieved by using the forced command for each key in authorized_keys.

    For ex:
    command="auth git" id-rsa ...
    command="auth shogun" id-rsa ...

    and in auth script
    #!/usr/bin/env node

    var user = process.argv[2];

    if (user == 'git') {
    // allow only git user
    process.exit(0);
    } else {
    // deny access
    process.exit(1);
    }

    also there is a SSH_ORIGINAL _COMMAND in the env.

    I thought that a global AuthorizedKeysCommand will run a script for all the users that try to login or run a command throught ssh and set the username and ssh pub key as arguments so the script may identify and allow or deny...

    But now it looks like this could be used only to output the authorized_keys file content.
    command="auth git" id-rsa ...
    command="auth shogun" id-rsa ...

    Looks a little nonsense to me.

  6. #6
    Join Date
    Dec 2010
    Beans
    570
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: SSH Keys Command

    From your last description it does sound like AuthorizedKeysCommand will do most of what you want by having a centralized store of allowed keys. The one thing that you want that it will not do is set the UID. The user name is passed by the ssh client.

    The AuthorizedKeysCommand script takes a single argument which is the user name and output to stdout the keys you want to consider to be valid for that user. The format of the output should lust like what would go into the authorized_keys file. (Here is a page with a good reference for the file http://linux.die.net/man/8/sshd)

  7. #7
    Join Date
    Aug 2011
    Beans
    4

    Re: SSH Keys Command

    Quote Originally Posted by hawkmage View Post
    From your last description it does sound like AuthorizedKeysCommand will do most of what you want by having a centralized store of allowed keys. The one thing that you want that it will not do is set the UID. The user name is passed by the ssh client.

    The AuthorizedKeysCommand script takes a single argument which is the user name and output to stdout the keys you want to consider to be valid for that user. The format of the output should lust like what would go into the authorized_keys file. (Here is a page with a good reference for the file http://linux.die.net/man/8/sshd)
    Yes i know this. I just hoped that this command script will allow more low level control over authorization. This will not allow to use one global username for git access over ssh for ex, like github does. ex: git@github.com:Username/repository.git ...

    Ok, thanks for replies.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •