In Gerrit2 I'm authenticating against SSH keys stored in a PostgreSQL database. You can see the authenticator in question at [*1*]. What I really want to do is cache the database row's primary key into the ServerSession under an application specific attribute, then retrieve that back again later from my Command implementations.
The reason I want to do that is I want to permit ambiguous usernames. Right now the username is a full email address, resulting in command lines like "ssh [email protected]@server.com". I want to change the database query to match on the local-name part of the email, which may result in more than one account's keys being selected from the database if there are multiple users with the same local-name part, but different domains. To keep it unambiguous once the authentication is complete, I need the Command to know the primary key of the row the authenticator matched. Yes, I realize I could just query the database for the normalized PublicKey encoding rather than by username (as they should be unique), but that still doesn't solve my problem of finding out exactly which Account entity that PublicKey was associated with inside of a Command implementation. It also doesn't account for people who are still using keys created by the broken Debian ssh-keygen. :-) SSHD-11 [*2*] proposes a patch to pass the ServerSession into the PublickeyAuthenticator, and adds an attribute map to the AbstractSession, making it possible for my DatabasePubKeyAuth implementation to store the primary key and my Command implementations (which are SessionAware) to pull it back out. *1* http://android.git.kernel.org/?p=tools/gerrit.git;a=blob;f=appjar/src/main/java/com/google/gerrit/server/ssh/DatabasePubKeyAuth.java;hb=gerrit2 *2* https://issues.apache.org/jira/browse/SSHD-11
