info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Openssh AuthorizedKeysCommand Inquiry
5 views
Skip to first unread message
Lucas Halbert
Jul 29, 2016, 10:44:11 AM7/29/16
to
To whom it may concern,
I have a question regarding the AuthorizedKeysCommand functionality. Currently I am working on building an openldap sshPublicKey infrastructure which contains sshPublicKey entries with the following format(options keytype base64-encoded-key comment) example: (from="host1.example.com" ssh-rsa AB3Nz...EN8w== us...@host1.example.com<mailto:us...@host1.example.com>). I am wondering if the AuthorizedKeysCommand directive, or some other openssh function, offers a facility to parse the "options" field of the sshPublicKey entry in LDAP like openssh does using the authorized_keys file. My goal is to restrict the origin of SSH connections which use key exchange based on the from="" option of the sshPublicKey stored in LDAP. Any guidance you have is appreciated.
Thanks,
Lucas
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
I have a question regarding the AuthorizedKeysCommand functionality. Currently I am working on building an openldap sshPublicKey infrastructure which contains sshPublicKey entries with the following format(options keytype base64-encoded-key comment) example: (from="host1.example.com" ssh-rsa AB3Nz...EN8w== us...@host1.example.com<mailto:us...@host1.example.com>). I am wondering if the AuthorizedKeysCommand directive, or some other openssh function, offers a facility to parse the "options" field of the sshPublicKey entry in LDAP like openssh does using the authorized_keys file. My goal is to restrict the origin of SSH connections which use key exchange based on the from="" option of the sshPublicKey stored in LDAP. Any guidance you have is appreciated.
Thanks,
Lucas
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Lucas Halbert
Jul 29, 2016, 11:55:55 AM7/29/16
to
Thank you for your quick response. Everything appears to be working as you described. Keep up the excellent work!
Thanks,
Lucas
-----Original Message-----
From: Peter Moody [mailto:pe...@hda3.com]
Sent: Friday, July 29, 2016 11:33 AM
To: Lucas Halbert <lhal...@reverus.com>
Cc: openssh-...@mindrot.org
Subject: Re: Openssh AuthorizedKeysCommand Inquiry
AuthorizedKeysCommand would point to a script/binary that you write that when run with the configured options, returns what you want the AuthorizedKeysFile to look like for that user. So if you have pubkeys and options stored with your users in ldap in two separate attributes, you should be able to have something like this:
# this is in your sshd_config
AuthorizedKeysCommand /my/authorized_keys_command %u
# and this is the authorized_keys_command script.
#!/bin/sh
$uid=$1
pubkey=$(ldapsearch uid=$uid sshPubkey| grep -v dn | cut -d ':' -f 2)
echo $pubkey
Thanks,
Lucas
-----Original Message-----
From: Peter Moody [mailto:pe...@hda3.com]
Sent: Friday, July 29, 2016 11:33 AM
To: Lucas Halbert <lhal...@reverus.com>
Cc: openssh-...@mindrot.org
Subject: Re: Openssh AuthorizedKeysCommand Inquiry
AuthorizedKeysCommand would point to a script/binary that you write that when run with the configured options, returns what you want the AuthorizedKeysFile to look like for that user. So if you have pubkeys and options stored with your users in ldap in two separate attributes, you should be able to have something like this:
# this is in your sshd_config
AuthorizedKeysCommand /my/authorized_keys_command %u
# and this is the authorized_keys_command script.
#!/bin/sh
$uid=$1
pubkey=$(ldapsearch uid=$uid sshPubkey| grep -v dn | cut -d ':' -f 2)
echo $pubkey
0 new messages