Support multiple keys per user

In use cases where one user is supposed to be reachable with multiple public keys, but where each public key should only have access to a specific set of commands, the variable $SSH_USER_AUTH will be considered together with colon separated username->key pairs in the configuration to determine the set of commands to use. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2024-09-15 19:23:03 +02:00 · 2024-09-15 19:23:03 +02:00 · 194a71e968
commit 194a71e968
parent 3bed7bad11
3 changed files with 31 additions and 2 deletions
--- a/authorized-exec.pl
+++ b/authorized-exec.pl
@ -22,6 +22,30 @@ my %config = do $configfile;
 	die "Couldn't run $configfile"       unless %config;

 my $user = $ENV{'USER'};
+my $authfile = $ENV{'SSH_USER_AUTH'};
+
+my %publickeys;
+
+if ($authfile && -f $authfile) {
+	open my $fh, '<', $authfile or die "Found authentication file, but failed to read it: $!";
+	while (<$fh>) {
+		$_ =~ /^publickey (ssh-[a-z0-9]+ .*)$/;
+		$publickeys{$1} = 1;
+	}
+	close $fh or print STDERR "Failed to close authentication file: $!";
+}
+
+foreach my $userentry (keys %config) {
+	my @userelements = split(':', $userentry);
+	if (scalar @userelements > 1) {
+		my $entry_user = $userelements[0];
+		my $entry_key = $userelements[1];
+		if ($entry_user eq $user && exists($publickeys{$entry_key})) {
+			$user = $userentry;
+			last;
+		}
+	}
+}

 if (! exists($config{$user}) ) {
 	print STDERR 'Unauthorized user.';
--- a/authorized-exec.pod
+++ b/authorized-exec.pod
@ -15,10 +15,12 @@

 	The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.

+	The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).
+
 =head1 EXAMPLES

 	In authorized_keys, sshd(8), the following syntax can be used:
-		command="/usr/bin/authorized-exec.pod /etc/authorized-exec/service1.pl" ssh-ed25519 ....
+		command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....

 =head1 AUTHOR

--- a/config.example.pl
+++ b/config.example.pl
@ -1,10 +1,13 @@
 # the patterns are read as regular expressions and anchored with ^ and $ by default
 (
-	'georg' => [
+	'georg2:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFY7Pvf4Rzn7C8Ioi1ZvY/O7tJsMCv27URdQE5o1daDK' => [
 		'echo hi',
 		'true',
 		'printf %s [a-z0-9 ]+',
 	],
+	'georg2' => [
+		'echo bye',
+	],
 	'root' => [
 		'ls -a /root',
 	],