Re: [go-nuts] x/crypto/ssh server question

2016-12-18 Thread Mark Adams 
Hi Andrew!

Take a quick look at the signature for ServerConfig.PublicKeyCallback
:

PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions,
> error)


As you already know, PublicKeyCallback allows you to indicate whether or
not user authentication is successful by returning an error value. The
other return argument, a pointer to a Permissions struct, actually
addresses your use case. The Permissions
 struct has
CriticalOptions and Extensions properties which are both map[string]string
and can be used to store arbitrary key-value pairs that are looked up
during PublicKeyCallback. Traditionally, PublicKeyCallback would be used to
lookup the key in an authorized_keys file for the user where it could
potentially parse out other configuration values such as force-command or
permit-X11-forwarding to modify how the application behaves when the user
uses that specific key which would then be stored in the Permissions
struct. In the same way, we can use the Permissions struct to pass
arbitrary values based on a database lookup (or other mechanism) from the
authentication phase to the application code. Once PublicKeyCallback
successfully completes, the Permissions struct is made available as a
property of the ServerConn
 struct returned by
ssh.NewServerConn() for your application code to use.

In your case, you could potentially perform your database lookup of the key
during the PublicKeyCallback and store the resulting data (i.e. account_id,
permission level, etc.) in the Permissions.Extensions map and reference
those values via ServerConn.Permissions.Extensions in your application code.

I hope that helps!

Mark


On Sun, Dec 18, 2016 at 5:22 AM  wrote:

> I am trying to get access to get public key that was used to authenticate
> an ssh connection (https://godoc.org/golang.org/x/crypto/ssh#ConnMetadata)
> inside the PublicKeyCallback while handling a channel request. I want to be
> able to accept the connection with any public key, but then control some
> application level permissions based on this key later. Is this possible?
> Currently it seems the only information you can access is the User name.
>
> I'm trying to create an auth system similar to github's ssh auth.  I want
> to allow anyone to ssh as a user like g...@github.com then do a database
> lookup on the key that was used to auth later when it tries to access
> something it might not have permission for. With the current API it seems
> like its only possible to enable or disable permissions based on the
> username, and not the key used.
>
> Thanks for any help
>
> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] x/crypto/ssh server question

2016-12-18 Thread andrewchamberss 
I am trying to get access to get public key that was used to authenticate 
an ssh connection (https://godoc.org/golang.org/x/crypto/ssh#ConnMetadata) 
inside the PublicKeyCallback while handling a channel request. I want to be 
able to accept the connection with any public key, but then control some 
application level permissions based on this key later. Is this possible?  
Currently it seems the only information you can access is the User name. 

I'm trying to create an auth system similar to github's ssh auth.  I want 
to allow anyone to ssh as a user like g...@github.com then do a database 
lookup on the key that was used to auth later when it tries to access 
something it might not have permission for. With the current API it seems 
like its only possible to enable or disable permissions based on the 
username, and not the key used.

Thanks for any help

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.