Georg/authorized-exec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support multiple keys per user

Browse Source 
In use cases where one user is supposed to be reachable with multiple
public keys, but where each public key should only have access to a
specific set of commands, the variable $SSH_USER_AUTH will be considered
together with colon separated username->key pairs in the configuration
to determine the set of commands to use.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
Georg Pfuetzenreuter 2024-09-15 19:23:03 +02:00
parent 3bed7bad11
commit 194a71e968
Signed by: Georg
GPG Key ID: 1ED2F138E7E6FF57
3 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
authorized-exec.pl
View File

@ -22,6 +22,30 @@ my %config = do $configfile;
die "Couldn't run $configfile" unless %config; die "Couldn't run $configfile" unless %config;
my $user = $ENV{'USER'}; my $user = $ENV{'USER'};
my $authfile = $ENV{'SSH_USER_AUTH'};
my %publickeys;
if ($authfile && -f $authfile) {
open my $fh, '<', $authfile or die "Found authentication file, but failed to read it: $!";
while (<$fh>) {
$_ =~ /^publickey (ssh-[a-z0-9]+ .*)$/;
$publickeys{$1} = 1;
}
close $fh or print STDERR "Failed to close authentication file: $!";
}
foreach my $userentry (keys %config) {
my @userelements = split(':', $userentry);
if (scalar @userelements > 1) {
my $entry_user = $userelements[0];
my $entry_key = $userelements[1];
if ($entry_user eq $user && exists($publickeys{$entry_key})) {
$user = $userentry;
last;
}
}
}
if (! exists($config{$user}) ) { if (! exists($config{$user}) ) {
print STDERR 'Unauthorized user.'; print STDERR 'Unauthorized user.';

4
authorized-exec.pod
View File

@ -15,10 +15,12 @@
The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command. The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.
The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).
=head1 EXAMPLES =head1 EXAMPLES
In authorized_keys, sshd(8), the following syntax can be used: In authorized_keys, sshd(8), the following syntax can be used:
command="/usr/bin/authorized-exec.pod /etc/authorized-exec/service1.pl" ssh-ed25519 .... command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....
=head1 AUTHOR =head1 AUTHOR

5
config.example.pl
View File

@ -1,10 +1,13 @@
# the patterns are read as regular expressions and anchored with ^ and $ by default # the patterns are read as regular expressions and anchored with ^ and $ by default
( (
'georg' => [ 'georg2:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFY7Pvf4Rzn7C8Ioi1ZvY/O7tJsMCv27URdQE5o1daDK' => [
'echo hi', 'echo hi',
'true', 'true',
'printf %s [a-z0-9 ]+', 'printf %s [a-z0-9 ]+',
], ],
'georg2' => [
'echo bye',
],
'root' => [ 'root' => [
'ls -a /root', 'ls -a /root',
], ],