binwiederhier/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Make and run
apt-get source openssh-server
apt-get install libssl-dev 
cd openssh-6.6p1

# Apply patch
patch -p1 openssh/openssh-6.6p1/auth2-pubkey.c < auth2-pubkey.c.patch

./configure
make

# Create authorized_keys command
vi /usr/local/sbin/ssh_authorized_keys
  # Copy from below

chmod 755 /usr/local/sbin/ssh_authorized_keys

# Run
`pwd`/sshd -ddd

# Connect
ssh -p 2222 -o IdentityFile=user.pub user@localhost id

# Build & install package
apt-get install libssl-dev libwrap0-dev libpam-dev libgtk2.0-dev libedit-dev libselinux1-dev libck-connector-dev dh-autoreconf dh-systemd

dpkg-source --commit
 # Description: Add fingerprint argument to AuthorizedKeysCommand
 #  This patch makes OpenSSH pass the public key fingerprint to the 
 #  AuthorizedKeysCommand, thereby allowing an efficient lookup.

dpkg-buildpackage -us -uc
dpkg -i ../openssh-server_*.deb
Notes
# Create patch
diff -Naur openssh.ORIG/openssh-6.6p1/auth2-pubkey.c openssh/openssh-6.6p1/auth2-pubkey.c  > auth2-pubkey.c.patch


## auth2-pubkey.c.patch
--- openssh.ORIG/openssh-6.6p1/auth2-pubkey.c	2015-04-16 01:02:52.000000000 +0100
+++ openssh/openssh-6.6p1/auth2-pubkey.c	2015-04-16 01:03:50.304751623 +0100
@@ -512,7 +512,7 @@
 	struct stat st;
 	int status, devnull, p[2], i;
 	pid_t pid;
-	char *username, errmsg[512];
+	char *username, *fp, errmsg[512];

 	if (options.authorized_keys_command == NULL ||
 	    options.authorized_keys_command[0] != '/')
@@ -552,8 +552,10 @@
 		goto out;
 	}

-	debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
-	    options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
+	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+
+	debug3("Running AuthorizedKeysCommand: \"%s %s %s\" as \"%s\"",
+	    options.authorized_keys_command, user_pw->pw_name, fp, pw->pw_name);

 	/*
 	 * Don't want to call this in the child, where it can fatal() and
@@ -602,7 +604,7 @@
 		}

 		execl(options.authorized_keys_command,
-		    options.authorized_keys_command, user_pw->pw_name, NULL);
+		    options.authorized_keys_command, user_pw->pw_name, fp, NULL);

 		error("AuthorizedKeysCommand %s exec failed: %s",
 		    options.authorized_keys_command, strerror(errno));
@@ -611,6 +613,7 @@
 		break;
 	}

+	free(fp);
 	temporarily_use_uid(pw);

 	close(p[1]);

## authorized_keys.sh
#!/bin/bash

user=$1
fingerprint=$2

if [ "$user" == "user" -a "$fingerprint" == "64:a1:03:7c:1d:b6:7e:b0:0f:fd:76:7e:f0:ca:4f:20" ]; then
        echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDk15Ms4gJVpr8NbvHPPdAinLD6rWwGtJl4r1UokjXd6qQ2SKtR3xtCoIerhSE+KkYEF1mMoExIwx31d0WuQOJIkuoyJFhLhPAZBgVY6xj8t33Xlvnj1NMmUy+YuG/M8wTjbH1ooTQfg63BQibLzAhR7vbxm8j4UX+w8V5QV+VQtNG4sbxg5H6Szn2OP9s8HYfmmutOgygwKIymn8PapTPFlFqy1pj7iPs9XSSaNbS8FI/FU9yX0OWPpXD7S73JXZulLVTUMZGpNzaI5NQJAPUq7cRHNZjx0dOWQZ5OH5QrW2kJVzDAA2+oq+pv4TGTk1gPrDC6tnGyjkOWdElMRRN pheckel@platop"
fi

## sshd_config
Port 2222
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/sbin/ssh_authorized_keys
AuthorizedKeysCommandUser nobody
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*

## user.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAw5NeTLOICVaa/DW7xzz3QIpyw+q1sBrSZeK9VKJI13eqkNki
rUd8bQqCHq4UhPipGBBdZjKBMSMMd9XdFrkDiSJLqMiRYS4TwGQYFWOsY/Ld915b
549TTJlMvmLhvzPME42x9aKE0H4OtwUImy8wIUe728ZvI+FF/sPFeUFflULTRuLG
8YOR+ks59jj/bPB2H5prrToMoMCiMpp/D2qUzxZRastaY+4j7PV0kmjW0vBSPxVP
cl9Dlj6Vw+0u9yV2bpS1U1DGRqTc2iOTUCQD1Ku3ERzWY8dHTlkGeTh+UK1tpCVc
wwANvqKvqb+Exk5NYD6wwurZxso5DlnRJTEUTQIDAQABAoIBAQDDBgla4wwcg8g5
CDwgCaNlMKoQw9Q5sAVupBO4ebu5YRMtLdlugYKKGZh3j4/WqT+1R1xbtLEvlouw
VAsLxaLI9PINdTPDfHcluqppaeNWJ7FAI0/yMPIXyCbHE0OZrsUqGnoDP/TBE3MI
/nP+i6erCCVEmzPoy5NI4V/h8lamNybFnbBG/n5xRaVePqPU2NQjfH5/vEJfjU8f
UZ/Zux6Xo94haif+Y4W+n4zu/44sJgUB1kjAvw9jRljFkt2VOH2CvosqIQIFdCTk
kXMEJFFb4ShwBbs2ploD3AN9XdOpXXyj6Xf+UrSvDHxfuuA6dE4AT72JZmcBwJy7
hng8ZewBAoGBAOAZErtMRnLLVX9BqxNyzljWsUbDUrqr5Rkk+6hNDHrfHP1oKwHt
tjV8mGi1eY59SFLgcghZ4Fzb6yB0jt3JL2ORWF56IqDTJd3NYTFXomlkItRgk/Ne
H7RJ+bBMKDDGjj5SE9oI6hdHUTF6p/YphDfHT408ptndFawTab85fPmtAoGBAN9q
13MS5SqHWSuJwygp58phAdSsABGi0OK5cZcRO9D4xTDEAw4AJ46JSapgUTmPVUK/
NWWHVsG9Z+/7nnwkwWJDEXoh3jfaQrFcNSTe/++9pcsmb3WCj8lBJPzjgh5Q/Pi5
bbETm5uEMZPSbbSSvlSxqyzTz8v8Oj6WdKVy3xkhAoGBAIlsNsVuz+DDekmQfpVt
mMZ32bx4OPpKQTJ7MGwT26xZt9BaGc2T9WG1Z00GxGUxxLE1/BfM7b5kCjsb3yR4
pDvdvKArK6MN+LGcqZZ1lB4nDwjHtNLQDIcluh13hknq6P2knZHeV5cw38SE4A0f
hnoiGlGVOQhvAERGn1lpqo79AoGBAIXgOOA8t1PnrNg5AdeEXN/Zh0ZQFu56eN8T
LmzOp+BN4aOaIRZ3ozx3KcxNUP7D09xeRXnkQmlvvOOCDHLpd3QRKlzcBJPFVud+
kF3avtSC+OEl0+4/YTfAsJBVJ/hQoXXNb1yHmlvzN94TXyewMxr/J8qB1eeu6Zvt
flJR5jvhAoGAGfEwqdBZEYEhm0Y+av8K+sMmae/NlisS09rj62GgURw9THLPuqhQ
3xteANHCOndBgtV+vZSqeTRRrNZM1tFpWVMEGH6uE8r+04zDbu3oUgIgV2fAMF9q
s0JYrGBJjRtIdIfr0UsJ05+cOo3ehME0S39x9ABujqmOIJwmeX45mhU=
-----END RSA PRIVATE KEY-----

## user.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDk15Ms4gJVpr8NbvHPPdAinLD6rWwGtJl4r1UokjXd6qQ2SKtR3xtCoIerhSE+KkYEF1mMoExIwx31d0WuQOJIkuoyJFhLhPAZBgVY6xj8t33Xlvnj1NMmUy+YuG/M8wTjbH1ooTQfg63BQibLzAhR7vbxm8j4UX+w8V5QV+VQtNG4sbxg5H6Szn2OP9s8HYfmmutOgygwKIymn8PapTPFlFqy1pj7iPs9XSSaNbS8FI/FU9yX0OWPpXD7S73JXZulLVTUMZGpNzaI5NQJAPUq7cRHNZjx0dOWQZ5OH5QrW2kJVzDAA2+oq+pv4TGTk1gPrDC6tnGyjkOWdElMRRN pheckel@platop
	--- openssh.ORIG/openssh-6.6p1/auth2-pubkey.c 2015-04-16 01:02:52.000000000 +0100
	+++ openssh/openssh-6.6p1/auth2-pubkey.c 2015-04-16 01:03:50.304751623 +0100
	@@ -512,7 +512,7 @@
	struct stat st;
	int status, devnull, p[2], i;
	pid_t pid;
	- char *username, errmsg[512];
	+ char username, fp, errmsg[512];

	if (options.authorized_keys_command == NULL \|\|
	options.authorized_keys_command[0] != '/')
	@@ -552,8 +552,10 @@
	goto out;
	}

	- debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
	- options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
	+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
	+
	+ debug3("Running AuthorizedKeysCommand: \"%s %s %s\" as \"%s\"",
	+ options.authorized_keys_command, user_pw->pw_name, fp, pw->pw_name);

	/*
	* Don't want to call this in the child, where it can fatal() and
	@@ -602,7 +604,7 @@
	}

	execl(options.authorized_keys_command,
	- options.authorized_keys_command, user_pw->pw_name, NULL);
	+ options.authorized_keys_command, user_pw->pw_name, fp, NULL);

	error("AuthorizedKeysCommand %s exec failed: %s",
	options.authorized_keys_command, strerror(errno));
	@@ -611,6 +613,7 @@
	break;
	}

	+ free(fp);
	temporarily_use_uid(pw);

	close(p[1]);
	#!/bin/bash

	user=$1
	fingerprint=$2

	if [ "$user" == "user" -a "$fingerprint" == "64:a1:03:7c:1d:b6:7e:b0:0f:fd:76:7e:f0:ca:4f:20" ]; then
	echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDk15Ms4gJVpr8NbvHPPdAinLD6rWwGtJl4r1UokjXd6qQ2SKtR3xtCoIerhSE+KkYEF1mMoExIwx31d0WuQOJIkuoyJFhLhPAZBgVY6xj8t33Xlvnj1NMmUy+YuG/M8wTjbH1ooTQfg63BQibLzAhR7vbxm8j4UX+w8V5QV+VQtNG4sbxg5H6Szn2OP9s8HYfmmutOgygwKIymn8PapTPFlFqy1pj7iPs9XSSaNbS8FI/FU9yX0OWPpXD7S73JXZulLVTUMZGpNzaI5NQJAPUq7cRHNZjx0dOWQZ5OH5QrW2kJVzDAA2+oq+pv4TGTk1gPrDC6tnGyjkOWdElMRRN pheckel@platop"
	fi
	Port 2222
	Protocol 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_dsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	UsePrivilegeSeparation yes
	KeyRegenerationInterval 3600
	ServerKeyBits 1024
	SyslogFacility AUTH
	LogLevel INFO
	LoginGraceTime 120
	PermitRootLogin yes
	StrictModes yes
	RSAAuthentication yes
	PubkeyAuthentication yes
	AuthorizedKeysCommand /usr/local/sbin/ssh_authorized_keys
	AuthorizedKeysCommandUser nobody
	IgnoreRhosts yes
	RhostsRSAAuthentication no
	HostbasedAuthentication no
	PermitEmptyPasswords no
	ChallengeResponseAuthentication no
	PasswordAuthentication no
	X11Forwarding yes
	X11DisplayOffset 10
	PrintMotd no
	PrintLastLog yes
	TCPKeepAlive yes
	AcceptEnv LANG LC_*
	-----BEGIN RSA PRIVATE KEY-----
	MIIEpQIBAAKCAQEAw5NeTLOICVaa/DW7xzz3QIpyw+q1sBrSZeK9VKJI13eqkNki
	rUd8bQqCHq4UhPipGBBdZjKBMSMMd9XdFrkDiSJLqMiRYS4TwGQYFWOsY/Ld915b
	549TTJlMvmLhvzPME42x9aKE0H4OtwUImy8wIUe728ZvI+FF/sPFeUFflULTRuLG
	8YOR+ks59jj/bPB2H5prrToMoMCiMpp/D2qUzxZRastaY+4j7PV0kmjW0vBSPxVP
	cl9Dlj6Vw+0u9yV2bpS1U1DGRqTc2iOTUCQD1Ku3ERzWY8dHTlkGeTh+UK1tpCVc
	wwANvqKvqb+Exk5NYD6wwurZxso5DlnRJTEUTQIDAQABAoIBAQDDBgla4wwcg8g5
	CDwgCaNlMKoQw9Q5sAVupBO4ebu5YRMtLdlugYKKGZh3j4/WqT+1R1xbtLEvlouw
	VAsLxaLI9PINdTPDfHcluqppaeNWJ7FAI0/yMPIXyCbHE0OZrsUqGnoDP/TBE3MI
	/nP+i6erCCVEmzPoy5NI4V/h8lamNybFnbBG/n5xRaVePqPU2NQjfH5/vEJfjU8f
	UZ/Zux6Xo94haif+Y4W+n4zu/44sJgUB1kjAvw9jRljFkt2VOH2CvosqIQIFdCTk
	kXMEJFFb4ShwBbs2ploD3AN9XdOpXXyj6Xf+UrSvDHxfuuA6dE4AT72JZmcBwJy7
	hng8ZewBAoGBAOAZErtMRnLLVX9BqxNyzljWsUbDUrqr5Rkk+6hNDHrfHP1oKwHt
	tjV8mGi1eY59SFLgcghZ4Fzb6yB0jt3JL2ORWF56IqDTJd3NYTFXomlkItRgk/Ne
	H7RJ+bBMKDDGjj5SE9oI6hdHUTF6p/YphDfHT408ptndFawTab85fPmtAoGBAN9q
	13MS5SqHWSuJwygp58phAdSsABGi0OK5cZcRO9D4xTDEAw4AJ46JSapgUTmPVUK/
	NWWHVsG9Z+/7nnwkwWJDEXoh3jfaQrFcNSTe/++9pcsmb3WCj8lBJPzjgh5Q/Pi5
	bbETm5uEMZPSbbSSvlSxqyzTz8v8Oj6WdKVy3xkhAoGBAIlsNsVuz+DDekmQfpVt
	mMZ32bx4OPpKQTJ7MGwT26xZt9BaGc2T9WG1Z00GxGUxxLE1/BfM7b5kCjsb3yR4
	pDvdvKArK6MN+LGcqZZ1lB4nDwjHtNLQDIcluh13hknq6P2knZHeV5cw38SE4A0f
	hnoiGlGVOQhvAERGn1lpqo79AoGBAIXgOOA8t1PnrNg5AdeEXN/Zh0ZQFu56eN8T
	LmzOp+BN4aOaIRZ3ozx3KcxNUP7D09xeRXnkQmlvvOOCDHLpd3QRKlzcBJPFVud+
	kF3avtSC+OEl0+4/YTfAsJBVJ/hQoXXNb1yHmlvzN94TXyewMxr/J8qB1eeu6Zvt
	flJR5jvhAoGAGfEwqdBZEYEhm0Y+av8K+sMmae/NlisS09rj62GgURw9THLPuqhQ
	3xteANHCOndBgtV+vZSqeTRRrNZM1tFpWVMEGH6uE8r+04zDbu3oUgIgV2fAMF9q
	s0JYrGBJjRtIdIfr0UsJ05+cOo3ehME0S39x9ABujqmOIJwmeX45mhU=
	-----END RSA PRIVATE KEY-----