diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-09-21 01:34:45 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-09-21 11:41:22 +1000 |
| commit | bfa9d969ab6235d4938ce069d4db7e5825c56a19 (patch) | |
| tree | 5ff7ef621e0e6660f4eae3a61b133d07f3bd4f5b | |
| parent | 920585b826af1c639e4ed78b2eba01fd2337b127 (diff) | |
| download | openssh-git-bfa9d969ab6235d4938ce069d4db7e5825c56a19.tar.gz | |
upstream commit
add a way for principals command to get see key ID and serial
too
Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
| -rw-r--r-- | auth2-pubkey.c | 6 | ||||
| -rw-r--r-- | sshd_config.5 | 18 |
2 files changed, 15 insertions, 9 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index a08354c7..cc546661 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.57 2016/09/14 20:11:26 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.58 2016/09/21 01:34:45 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -639,6 +639,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) pid_t pid; char *tmp, *username = NULL, *command = NULL, **av = NULL; char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; + char serial_s[16]; void (*osigchld)(int); if (options.authorized_principals_command == NULL) @@ -694,6 +695,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); goto out; } + snprintf(serial_s, sizeof(serial_s), "%llu", cert->serial); for (i = 1; i < ac; i++) { tmp = percent_expand(av[i], "u", user_pw->pw_name, @@ -704,6 +706,8 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) "F", ca_fp, "k", keytext, "K", catext, + "i", cert->key_id, + "s", serial_s, (char *)NULL); if (tmp == NULL) fatal("%s: percent_expand failed", __func__); diff --git a/sshd_config.5 b/sshd_config.5 index 9e96acf3..dd94b480 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.232 2016/09/14 05:42:25 djm Exp $ -.Dd $Mdocdate: September 14 2016 $ +.\" $OpenBSD: sshd_config.5,v 1.233 2016/09/21 01:34:45 djm Exp $ +.Dd $Mdocdate: September 21 2016 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -306,14 +306,16 @@ Arguments to may be provided using the following tokens, which will be expanded at runtime: %% is replaced by a literal '%', -%u is replaced by the username being authenticated, -%h is replaced by the home directory of the user being authenticated, -%t is replaced with type of the certificate being offered, -%T with the type of the CA key, -%f is replaced with certificate fingerprint, %F with the fingerprint of the CA key, -%k is replaced with the full base-64 encoded certificate and +%f is replaced with certificate fingerprint, %K is replaced with the base-64 encoded CA key. +%k is replaced with the full base-64 encoded certificate, +%h is replaced with the home directory of the user being authenticated, +%i is replaced with key ID in the certificate, +%s is replaced with the serial number of the certificate, +%T with the type of the CA key, +%t is replaced with type of the certificate being offered, and +%u is replaced by the username being authenticated, If no arguments are specified then the username of the target user will be supplied. .Pp |