Server-side implementation of RFC 4819
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

ssh-publickeyd, a RFC 4819 server

This is a server implementation of VanDyke's RFC 4819 public key management protocol for SSHv2, which lets clients upload authorized SSH keys without needing to know implementation details. In the future it might also support RFC 7076.

Configuring OpenSSH server

Add the following to your /etc/ssh/sshd_config:

Subsystem  publickey              /usr/local/bin/ssh-publickeyd
Subsystem  /usr/local/bin/ssh-publickeyd

You'll also need nullroute.authorized_keys somewhere Python can find it. Apologies for not making it a proper pip module yet.

Writing a client

publickeyd is meant to be invoked as a SSH subsystem, for example, using ssh -s publickey or libssh2_channel_subsystem() (example).

However, the only difference between normal commands (ssh foo whoami) and subsystems is that the latter have a well-known name. Otherwise they work like regular commands and speak over stdin/stdout.

After connecting, speak the RFC 4819 protocol. Its structure follows the main SSH protocol (binary length+data packets); see RFC 4251 §5 for a short reference.

Known clients

  • VanDyke SecureCRT (did most of the testing on this)
  • Bitvise Tunnelier (apparently, but untested)
  • Multinet SSH (untested)
  • there is a wishlist entry for PuTTY
  • no OpenSSH yet

Known servers

  • VanDyke VShell
  • Bitvise WinSSHd
  • Multinet SSH
  • ssh-publickeyd!