https://bugzilla.mindrot.org/show_bug.cgi?id=983
--- Comment #43 from David Woodhouse <[email protected]> 2011-09-17 21:39:50 EST --- My use case for this is to run a PAM stack *after* pubkey authentication, and one environment in which I want to do that is for something like gitolite — where multiple people each have their own SSH key installed, but there is only one local user. We want to use keys *and* a one-time password. It would be really useful if the PAM stack could know *which* SSH key was used to authenticate. Then we can have an OTP setup for each human being rather than just having a single shared one. This kind of thing should probably do it. This makes the two-step authentication much more useful for us. diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 137887e..68f1a6a 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -350,6 +350,12 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) verbose("Accepted certificate ID \"%s\" " "signed by %s CA %s via %s", key->cert->key_id, key_type(found), fp, file); +#ifdef USE_PAM + if (options.use_pam) { + do_pam_putenv("SSH_PUBKEY_TYPE", "X509"); + do_pam_putenv("SSH_PUBKEY", key->cert->key_id); + } +#endif xfree(fp); found_key = 1; break; @@ -365,6 +371,12 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); +#ifdef USE_PAM + if (options.use_pam) { + do_pam_putenv("SSH_PUBKEY_TYPE", key_type(found)); + do_pam_putenv("SSH_PUBKEY", fp); + } +#endif xfree(fp); break; } -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching someone on the CC list of the bug. You are watching the reporter of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
