Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sshkey.cache format: valid characters include "'" "[" "]" ":" and ","; which are broken in AuthorizedKeysHelper #66

Closed
robbat2 opened this issue Jan 2, 2016 · 1 comment
Closed

sshkey.cache format: valid characters include "'" "[" "]" ":" and ","; which are broken in AuthorizedKeysHelper #66

robbat2 opened this issue Jan 2, 2016 · 1 comment

Comments

@robbat2
Copy link
Contributor

robbat2 commented Jan 2, 2016

The present AuthorizedKeysHelper removes the following characters/strings:

  • "[" (left square bracket)
  • "]" (right square bracket)
  • "'" (single quote)
  • "," (comma followed by space [not rendered correctly by markdown])
  • ":" (colon, removed implicitly by awk)

All of them ARE valid if an SSH key is preceded by an options string:
from="1.2.3.4,[2001:db8::/64]" ssh-rsa AAAA...
command="/usr/local/foo --arg1='a, b' " ssh-rsa AAAA...

There are two potential solutions:

  1. Keep the sshkey.cache format the same, only improve the script (A python rewrite perhaps)
  2. Write out one sshkey per line, instead of an array as the second element; and improve the script. This has a side benefit of working better with the existing script.
@robbat2
Copy link
Contributor Author

robbat2 commented Jan 5, 2016

I have implemented a much better command that you can take here:
https://dev.gentoo.org/~robbat2/nsscache-0.30-gentoo-authorized-keys-command.py

robbat2 added a commit to robbat2/nsscache that referenced this issue Jan 10, 2016
@robbat2
New AuthorizedKeysCommand script
5b8b3a9 
Implement a much more useful AuthorizedKeysCommand that does not have
the problems of the original shell version. The new command also
supports ways to filter the keys and do exact matches based on
information from the sshd (eg keytype/fingerprint/keyblob)

Bugs in the old shell version:
- did substring match on usernames instead of exact match
  google#67
- Failed on keys with characters: [, ], :, ",", "'"
  google#66

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
@robbat2 robbat2 mentioned this issue Jan 10, 2016
Merged
@jaqx0r jaqx0r closed this as completed Jan 10, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robbat2 @jaqx0r