This OpenSSH hack allows you to use a custom script to do public key lookup and authentication.
We welcome audits and improvements to the patch (we’re not expert C hackers). The patched-openssh-5.8p1
branch is openssh-5.8p1
with the patch applied.
Are you kidding? We forked a fork of OpenSSH. Though we only added a few dozen lines, odds are we also incorporated a few hundred buffer overflow vectors.
If you’re going to run this hack, it is recommended you run this in a chroot
jail .
We strongly advise against using this patched version of sshd for the main sshd on your server — run a normal install of sshd on a non-standard port.
In summary: USE THIS PATCH AT YOUR OWN RISK.
In order to do so, we added an optional AuthorizedKeysScript
option to your sshd_config
. The format and functionality is identical to AuthorizedKeysFile
, except the path will reference a program instead of a flatfile. The value I use is .ssh/authorized_keys_script
.
The script must follow certain guidelines in order for this to work properly.
Your program will receive the username and public key on STDIN, seperated by a newline and terminated by EOF. It will be in canoncial SSH public key format, starting with ssh-dss
or ssh-rsa
, a space, and then the key data.
Your program’s exit code is the most important output from your script. An exit code of 0 means success, while 1 means failure. Success allows the user to login with that key. It is thus VERY important that your script does not blindly exit with a code of 0, or the user will be able to login as the user.
Your script has the option of outputting ssh options in the same format as authorized_keys
. These options are printed to standard out. You must print only the options without any whitespace or newlines at the end (i.e., in Ruby, use print
not puts
). A valid option string might be command="gitosis-serve jd",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
. Outputting invalid options (or a newline) will result in the user’s key being rejected, regardless of your exit code. Additionally, your scripts output will be entirely ignored if the exit code is not 0.
You should write your script to timeout and exit (with a status code of 1) after some number of seconds, otherwise the sshd session will hang waiting for your script to return. This should not affect the overall sshd daemon, but might leave forked sessions hung, requiring sshd to be restarted.
- SIGCHLD confirmation – is the current handling of SIGCHLD ok?
- Add a timeout to assure the script does not permanently hang the sshd session. If timeout occurs, kill the child process.
- Make the options output handling a bit less sensitive, e.g. handle if a newline is printed.
The modifications are released under the BSD license.