OpenSSH with script authentication
This OpenSSH hack allows you to use a custom script to do public key lookup and authentication.
We welcome audits and improvements to the patch (we’re not expert C hackers). The
patched-openssh-5.8p1 branch is
openssh-5.8p1 with the patch applied.
Are you kidding? We forked a fork of OpenSSH. Though we only added a few dozen lines, odds are we also incorporated a few hundred buffer overflow vectors.
If you’re going to run this hack, it is recommended you run this in a
chroot jail .
We strongly advise against using this patched version of sshd for the main sshd on your server — run a normal install of sshd on a non-standard port.
Setup and Configuration
In order to do so, we added an optional
AuthorizedKeysScript option to your
sshd_config. The format and functionality is identical to
AuthorizedKeysFile, except the path will reference a program instead of a flatfile. The value I use is
Writing the Program/Script
The script must follow certain guidelines in order for this to work properly.
Your program will receive the username and public key on STDIN, seperated by a newline and terminated by EOF. It will be in canoncial SSH public key format, starting with
ssh-rsa, a space, and then the key data.
Your program’s exit code is the most important output from your script. An exit code of 0 means success, while 1 means failure. Success allows the user to login with that key. It is thus that your script does not blindly exit with a code of 0, or the user will be able to login as the user.
Your script has the option of outputting ssh options in the same format as
authorized_keys. These options are printed to standard out. You must print only the options without any whitespace or newlines at the end (i.e., in Ruby, use
puts). A valid option string might be
command="gitosis-serve jd",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty. Outputting invalid options (or a newline) will result in the user’s key being rejected, regardless of your exit code. Additionally, your scripts output will be entirely ignored if the exit code is not 0.
You should write your script to timeout and exit (with a status code of 1) after some number of seconds, otherwise the sshd session will hang waiting for your script to return. This should not affect the overall sshd daemon, but might leave forked sessions hung, requiring sshd to be restarted.
- SIGCHLD confirmation – is the current handling of SIGCHLD ok?
- Add a timeout to assure the script does not permanently hang the sshd session. If timeout occurs, kill the child process.
- Make the options output handling a bit less sensitive, e.g. handle if a newline is printed.
The modifications are released under the BSD license.