Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenSSH 6.6p1 patch: AuthorizedKeysCommand with additional argument <fingerprint>

Make and run

apt-get source openssh-server
apt-get install libssl-dev 
cd openssh-6.6p1

# Apply patch
patch -p1 openssh/openssh-6.6p1/auth2-pubkey.c < auth2-pubkey.c.patch

./configure
make

# Create authorized_keys command
vi /usr/local/sbin/ssh_authorized_keys
  # Copy from below

chmod 755 /usr/local/sbin/ssh_authorized_keys

# Run
`pwd`/sshd -ddd

# Connect
ssh -p 2222 -o IdentityFile=user.pub user@localhost id

# Build & install package
apt-get install libssl-dev libwrap0-dev libpam-dev libgtk2.0-dev libedit-dev libselinux1-dev libck-connector-dev dh-autoreconf dh-systemd

dpkg-source --commit
 # Description: Add fingerprint argument to AuthorizedKeysCommand
 #  This patch makes OpenSSH pass the public key fingerprint to the 
 #  AuthorizedKeysCommand, thereby allowing an efficient lookup.

dpkg-buildpackage -us -uc
dpkg -i ../openssh-server_*.deb

Notes

# Create patch
diff -Naur openssh.ORIG/openssh-6.6p1/auth2-pubkey.c openssh/openssh-6.6p1/auth2-pubkey.c  > auth2-pubkey.c.patch
--- openssh.ORIG/openssh-6.6p1/auth2-pubkey.c 2015-04-16 01:02:52.000000000 +0100
+++ openssh/openssh-6.6p1/auth2-pubkey.c 2015-04-16 01:03:50.304751623 +0100
@@ -512,7 +512,7 @@
struct stat st;
int status, devnull, p[2], i;
pid_t pid;
- char *username, errmsg[512];
+ char *username, *fp, errmsg[512];
if (options.authorized_keys_command == NULL ||
options.authorized_keys_command[0] != '/')
@@ -552,8 +552,10 @@
goto out;
}
- debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
- options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+
+ debug3("Running AuthorizedKeysCommand: \"%s %s %s\" as \"%s\"",
+ options.authorized_keys_command, user_pw->pw_name, fp, pw->pw_name);
/*
* Don't want to call this in the child, where it can fatal() and
@@ -602,7 +604,7 @@
}
execl(options.authorized_keys_command,
- options.authorized_keys_command, user_pw->pw_name, NULL);
+ options.authorized_keys_command, user_pw->pw_name, fp, NULL);
error("AuthorizedKeysCommand %s exec failed: %s",
options.authorized_keys_command, strerror(errno));
@@ -611,6 +613,7 @@
break;
}
+ free(fp);
temporarily_use_uid(pw);
close(p[1]);
#!/bin/bash
user=$1
fingerprint=$2
if [ "$user" == "user" -a "$fingerprint" == "64:a1:03:7c:1d:b6:7e:b0:0f:fd:76:7e:f0:ca:4f:20" ]; then
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDk15Ms4gJVpr8NbvHPPdAinLD6rWwGtJl4r1UokjXd6qQ2SKtR3xtCoIerhSE+KkYEF1mMoExIwx31d0WuQOJIkuoyJFhLhPAZBgVY6xj8t33Xlvnj1NMmUy+YuG/M8wTjbH1ooTQfg63BQibLzAhR7vbxm8j4UX+w8V5QV+VQtNG4sbxg5H6Szn2OP9s8HYfmmutOgygwKIymn8PapTPFlFqy1pj7iPs9XSSaNbS8FI/FU9yX0OWPpXD7S73JXZulLVTUMZGpNzaI5NQJAPUq7cRHNZjx0dOWQZ5OH5QrW2kJVzDAA2+oq+pv4TGTk1gPrDC6tnGyjkOWdElMRRN pheckel@platop"
fi
Port 2222
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/sbin/ssh_authorized_keys
AuthorizedKeysCommandUser nobody
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAw5NeTLOICVaa/DW7xzz3QIpyw+q1sBrSZeK9VKJI13eqkNki
rUd8bQqCHq4UhPipGBBdZjKBMSMMd9XdFrkDiSJLqMiRYS4TwGQYFWOsY/Ld915b
549TTJlMvmLhvzPME42x9aKE0H4OtwUImy8wIUe728ZvI+FF/sPFeUFflULTRuLG
8YOR+ks59jj/bPB2H5prrToMoMCiMpp/D2qUzxZRastaY+4j7PV0kmjW0vBSPxVP
cl9Dlj6Vw+0u9yV2bpS1U1DGRqTc2iOTUCQD1Ku3ERzWY8dHTlkGeTh+UK1tpCVc
wwANvqKvqb+Exk5NYD6wwurZxso5DlnRJTEUTQIDAQABAoIBAQDDBgla4wwcg8g5
CDwgCaNlMKoQw9Q5sAVupBO4ebu5YRMtLdlugYKKGZh3j4/WqT+1R1xbtLEvlouw
VAsLxaLI9PINdTPDfHcluqppaeNWJ7FAI0/yMPIXyCbHE0OZrsUqGnoDP/TBE3MI
/nP+i6erCCVEmzPoy5NI4V/h8lamNybFnbBG/n5xRaVePqPU2NQjfH5/vEJfjU8f
UZ/Zux6Xo94haif+Y4W+n4zu/44sJgUB1kjAvw9jRljFkt2VOH2CvosqIQIFdCTk
kXMEJFFb4ShwBbs2ploD3AN9XdOpXXyj6Xf+UrSvDHxfuuA6dE4AT72JZmcBwJy7
hng8ZewBAoGBAOAZErtMRnLLVX9BqxNyzljWsUbDUrqr5Rkk+6hNDHrfHP1oKwHt
tjV8mGi1eY59SFLgcghZ4Fzb6yB0jt3JL2ORWF56IqDTJd3NYTFXomlkItRgk/Ne
H7RJ+bBMKDDGjj5SE9oI6hdHUTF6p/YphDfHT408ptndFawTab85fPmtAoGBAN9q
13MS5SqHWSuJwygp58phAdSsABGi0OK5cZcRO9D4xTDEAw4AJ46JSapgUTmPVUK/
NWWHVsG9Z+/7nnwkwWJDEXoh3jfaQrFcNSTe/++9pcsmb3WCj8lBJPzjgh5Q/Pi5
bbETm5uEMZPSbbSSvlSxqyzTz8v8Oj6WdKVy3xkhAoGBAIlsNsVuz+DDekmQfpVt
mMZ32bx4OPpKQTJ7MGwT26xZt9BaGc2T9WG1Z00GxGUxxLE1/BfM7b5kCjsb3yR4
pDvdvKArK6MN+LGcqZZ1lB4nDwjHtNLQDIcluh13hknq6P2knZHeV5cw38SE4A0f
hnoiGlGVOQhvAERGn1lpqo79AoGBAIXgOOA8t1PnrNg5AdeEXN/Zh0ZQFu56eN8T
LmzOp+BN4aOaIRZ3ozx3KcxNUP7D09xeRXnkQmlvvOOCDHLpd3QRKlzcBJPFVud+
kF3avtSC+OEl0+4/YTfAsJBVJ/hQoXXNb1yHmlvzN94TXyewMxr/J8qB1eeu6Zvt
flJR5jvhAoGAGfEwqdBZEYEhm0Y+av8K+sMmae/NlisS09rj62GgURw9THLPuqhQ
3xteANHCOndBgtV+vZSqeTRRrNZM1tFpWVMEGH6uE8r+04zDbu3oUgIgV2fAMF9q
s0JYrGBJjRtIdIfr0UsJ05+cOo3ehME0S39x9ABujqmOIJwmeX45mhU=
-----END RSA PRIVATE KEY-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDk15Ms4gJVpr8NbvHPPdAinLD6rWwGtJl4r1UokjXd6qQ2SKtR3xtCoIerhSE+KkYEF1mMoExIwx31d0WuQOJIkuoyJFhLhPAZBgVY6xj8t33Xlvnj1NMmUy+YuG/M8wTjbH1ooTQfg63BQibLzAhR7vbxm8j4UX+w8V5QV+VQtNG4sbxg5H6Szn2OP9s8HYfmmutOgygwKIymn8PapTPFlFqy1pj7iPs9XSSaNbS8FI/FU9yX0OWPpXD7S73JXZulLVTUMZGpNzaI5NQJAPUq7cRHNZjx0dOWQZ5OH5QrW2kJVzDAA2+oq+pv4TGTk1gPrDC6tnGyjkOWdElMRRN pheckel@platop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.