tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

add a way for principals command to get see key ID and serial
too

Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
This commit is contained in:
djm@openbsd.org 2016-09-21 01:34:45 +00:00 committed by Damien Miller
parent 920585b826
commit bfa9d969ab
2 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
auth2-pubkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.57 2016/09/14 20:11:26 djm Exp $ */ /* $OpenBSD: auth2-pubkey.c,v 1.58 2016/09/21 01:34:45 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* *
@ -639,6 +639,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
pid_t pid; pid_t pid;
char *tmp, *username = NULL, *command = NULL, **av = NULL; char *tmp, *username = NULL, *command = NULL, **av = NULL;
char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL;
char serial_s[16];
void (*osigchld)(int); void (*osigchld)(int);
if (options.authorized_principals_command == NULL) if (options.authorized_principals_command == NULL)
@ -694,6 +695,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r));
goto out; goto out;
} }
snprintf(serial_s, sizeof(serial_s), "%llu", cert->serial);
for (i = 1; i < ac; i++) { for (i = 1; i < ac; i++) {
tmp = percent_expand(av[i], tmp = percent_expand(av[i],
"u", user_pw->pw_name, "u", user_pw->pw_name,
@ -704,6 +706,8 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
"F", ca_fp, "F", ca_fp,
"k", keytext, "k", keytext,
"K", catext, "K", catext,
"i", cert->key_id,
"s", serial_s,
(char *)NULL); (char *)NULL);
if (tmp == NULL) if (tmp == NULL)
fatal("%s: percent_expand failed", __func__); fatal("%s: percent_expand failed", __func__);

18
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.232 2016/09/14 05:42:25 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.233 2016/09/21 01:34:45 djm Exp $
.Dd $Mdocdate: September 14 2016 $ .Dd $Mdocdate: September 21 2016 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -306,14 +306,16 @@ Arguments to
may be provided using the following tokens, which will be expanded may be provided using the following tokens, which will be expanded
at runtime: at runtime:
%% is replaced by a literal '%', %% is replaced by a literal '%',
%u is replaced by the username being authenticated,
%h is replaced by the home directory of the user being authenticated,
%t is replaced with type of the certificate being offered,
%T with the type of the CA key,
%f is replaced with certificate fingerprint,
%F with the fingerprint of the CA key, %F with the fingerprint of the CA key,
%k is replaced with the full base-64 encoded certificate and %f is replaced with certificate fingerprint,
%K is replaced with the base-64 encoded CA key. %K is replaced with the base-64 encoded CA key.
%k is replaced with the full base-64 encoded certificate,
%h is replaced with the home directory of the user being authenticated,
%i is replaced with key ID in the certificate,
%s is replaced with the serial number of the certificate,
%T with the type of the CA key,
%t is replaced with type of the certificate being offered, and
%u is replaced by the username being authenticated,
If no arguments are specified then the username of the target user If no arguments are specified then the username of the target user
will be supplied. will be supplied.
.Pp .Pp