We can already inject 'from=' restrictions in the output of
``AuthorizedKeyCommand`` but we can not change the behavior of this
command based on the source address.
With the source address, it is possible for example to build a "Trust on
first use" mechanism similar to the ``StrictHostKeyChecking=accept-new``
This is useful in scenarios where a cluster of computers is
automatically provisioned in a trusted environment and then sent in the
field.
Signed-off-by: Jean-Tiare Le Bigot <jean-tiare.le-bigot@easymile.com>
---
auth2-pubkey.c | 1 +
sshd_config.5 | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950e..b61706e8 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -933,6 +933,7 @@ user_key_command_allowed2(struct ssh *ssh, struct
passwd *user_pw,
"t", sshkey_ssh_name(key),
"f", key_fp,
"k", keytext,
+ "a", ssh_remote_ipaddr(ssh),
(char *)NULL);
if (tmp == NULL)
fatal("%s: percent_expand failed", __func__);
diff --git a/sshd_config.5 b/sshd_config.5
index c6484370..61dd180c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1773,10 +1773,12 @@ The key or certificate type.
The numeric user ID of the target user.
.It %u
The username.
+.It %a
+The connection source IP address.
.El
.Pp
.Cm AuthorizedKeysCommand
-accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
+accepts the tokens %%, %f, %h, %k, %t, %U, %u and %a.
.Pp
.Cm AuthorizedKeysFile
accepts the tokens %%, %h, %U, and %u.
--
2.17.1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
``AuthorizedKeyCommand`` but we can not change the behavior of this
command based on the source address.
With the source address, it is possible for example to build a "Trust on
first use" mechanism similar to the ``StrictHostKeyChecking=accept-new``
This is useful in scenarios where a cluster of computers is
automatically provisioned in a trusted environment and then sent in the
field.
Signed-off-by: Jean-Tiare Le Bigot <jean-tiare.le-bigot@easymile.com>
---
auth2-pubkey.c | 1 +
sshd_config.5 | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950e..b61706e8 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -933,6 +933,7 @@ user_key_command_allowed2(struct ssh *ssh, struct
passwd *user_pw,
"t", sshkey_ssh_name(key),
"f", key_fp,
"k", keytext,
+ "a", ssh_remote_ipaddr(ssh),
(char *)NULL);
if (tmp == NULL)
fatal("%s: percent_expand failed", __func__);
diff --git a/sshd_config.5 b/sshd_config.5
index c6484370..61dd180c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1773,10 +1773,12 @@ The key or certificate type.
The numeric user ID of the target user.
.It %u
The username.
+.It %a
+The connection source IP address.
.El
.Pp
.Cm AuthorizedKeysCommand
-accepts the tokens %%, %f, %h, %k, %t, %U, and %u.
+accepts the tokens %%, %f, %h, %k, %t, %U, %u and %a.
.Pp
.Cm AuthorizedKeysFile
accepts the tokens %%, %h, %U, and %u.
--
2.17.1
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev