Support multiple keys per user
In use cases where one user is supposed to be reachable with multiple public keys, but where each public key should only have access to a specific set of commands, the variable $SSH_USER_AUTH will be considered together with colon separated username->key pairs in the configuration to determine the set of commands to use. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
parent
3bed7bad11
commit
194a71e968
@ -22,6 +22,30 @@ my %config = do $configfile;
|
||||
die "Couldn't run $configfile" unless %config;
|
||||
|
||||
my $user = $ENV{'USER'};
|
||||
my $authfile = $ENV{'SSH_USER_AUTH'};
|
||||
|
||||
my %publickeys;
|
||||
|
||||
if ($authfile && -f $authfile) {
|
||||
open my $fh, '<', $authfile or die "Found authentication file, but failed to read it: $!";
|
||||
while (<$fh>) {
|
||||
$_ =~ /^publickey (ssh-[a-z0-9]+ .*)$/;
|
||||
$publickeys{$1} = 1;
|
||||
}
|
||||
close $fh or print STDERR "Failed to close authentication file: $!";
|
||||
}
|
||||
|
||||
foreach my $userentry (keys %config) {
|
||||
my @userelements = split(':', $userentry);
|
||||
if (scalar @userelements > 1) {
|
||||
my $entry_user = $userelements[0];
|
||||
my $entry_key = $userelements[1];
|
||||
if ($entry_user eq $user && exists($publickeys{$entry_key})) {
|
||||
$user = $userentry;
|
||||
last;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (! exists($config{$user}) ) {
|
||||
print STDERR 'Unauthorized user.';
|
||||
|
@ -15,10 +15,12 @@
|
||||
|
||||
The command line to validate is taken either from the arguments passed after the configuration file, or read from the variable $SSH_ORIGINAL_COMMAND, which is passed if used as a forced SSH command.
|
||||
|
||||
The application supports handling different sets of authorized commands for a single user based on the public key the session was initiated with. This utilizes the variable $SSH_USER_AUTH, which requires the OpenSSH server to be configured with "ExposeAuthInfo" enabled in sshd_config(5).
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
In authorized_keys, sshd(8), the following syntax can be used:
|
||||
command="/usr/bin/authorized-exec.pod /etc/authorized-exec/service1.pl" ssh-ed25519 ....
|
||||
command="/usr/bin/authorized-exec /etc/authorized-exec/service1.pl" ssh-ed25519 ....
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
|
@ -1,10 +1,13 @@
|
||||
# the patterns are read as regular expressions and anchored with ^ and $ by default
|
||||
(
|
||||
'georg' => [
|
||||
'georg2:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFY7Pvf4Rzn7C8Ioi1ZvY/O7tJsMCv27URdQE5o1daDK' => [
|
||||
'echo hi',
|
||||
'true',
|
||||
'printf %s [a-z0-9 ]+',
|
||||
],
|
||||
'georg2' => [
|
||||
'echo bye',
|
||||
],
|
||||
'root' => [
|
||||
'ls -a /root',
|
||||
],
|
||||
|
Loading…
Reference in New Issue
Block a user