upstream commit

support arguments to AuthorizedKeysCommand bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@ Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
author: djm@openbsd.org <djm@openbsd.org> 2015-05-21 06:38:35 +0000
committer: Damien Miller <djm@mindrot.org> 2015-05-21 16:44:56 +1000
commit: 24232a3e5ab467678a86aa67968bbb915caffed4 (patch)
tree: e81f44adced3d0058b6b6e25ca8dc82a3a5db153 /sshd_config.5
parent: d80fbe41a57c72420c87a628444da16d09d66ca7 (diff)
1 files changed, 17 insertions, 5 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 562dad356..e40ecedef 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.200 2015/04/29 03:48:56 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.201 2015/05/21 06:38:35 djm Exp $
-.Dd $Mdocdate: April 29 2015 $
+.Dd $Mdocdate: May 21 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -234,9 +234,21 @@ The default is not to require multiple authentication; successful completion
 of a single authentication method is sufficient.
 .It Cm AuthorizedKeysCommand
 Specifies a program to be used to look up the user's public keys.
-The program must be owned by root and not writable by group or others.
+The program must be owned by root, not writable by group or others and
-It will be invoked with a single argument of the username
+specified by an absolute path.
-being authenticated, and should produce on standard output zero or
+.Pp
+Arguments to
+.Cm AuthorizedKeysCommand
+may be provided using the following tokens, which will be expanded
+at runtime: %% is replaced by a literal '%', %u is replaced by the
+username being authenticated, %h is replaced by the home directory
+of the user being authenticated, %t is replaced with the key type
+offered for authentication, %f is replaced with the fingerprint of
+the key, and %k is replaced with the key being offered for authentication.
+If no arguments are specified then the username of the target user
+will be supplied.
+.Pp
+The program should produce on standard output zero or
 more lines of authorized_keys output (see AUTHORIZED_KEYS in
 .Xr sshd 8 ) .
 If a key supplied by AuthorizedKeysCommand does not successfully authenticate
author	djm@openbsd.org <djm@openbsd.org>	2015-05-21 06:38:35 +0000
committer	Damien Miller <djm@mindrot.org>	2015-05-21 16:44:56 +1000
commit	24232a3e5ab467678a86aa67968bbb915caffed4 (patch)
tree	e81f44adced3d0058b6b6e25ca8dc82a3a5db153 /sshd_config.5
parent	d80fbe41a57c72420c87a628444da16d09d66ca7 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 562dad356..e40ecedef 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.200 2015/04/29 03:48:56 dtucker Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.201 2015/05/21 06:38:35 djm Exp $
37	.Dd $Mdocdate: April 29 2015 $	37	.Dd $Mdocdate: May 21 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -234,9 +234,21 @@ The default is not to require multiple authentication; successful completion
234	of a single authentication method is sufficient.	234	of a single authentication method is sufficient.
235	.It Cm AuthorizedKeysCommand	235	.It Cm AuthorizedKeysCommand
236	Specifies a program to be used to look up the user's public keys.	236	Specifies a program to be used to look up the user's public keys.
237	The program must be owned by root and not writable by group or others.	237	The program must be owned by root, not writable by group or others and
238	It will be invoked with a single argument of the username	238	specified by an absolute path.
239	being authenticated, and should produce on standard output zero or	239	.Pp
		240	Arguments to
		241	.Cm AuthorizedKeysCommand
		242	may be provided using the following tokens, which will be expanded
		243	at runtime: %% is replaced by a literal '%', %u is replaced by the
		244	username being authenticated, %h is replaced by the home directory
		245	of the user being authenticated, %t is replaced with the key type
		246	offered for authentication, %f is replaced with the fingerprint of
		247	the key, and %k is replaced with the key being offered for authentication.
		248	If no arguments are specified then the username of the target user
		249	will be supplied.
		250	.Pp
		251	The program should produce on standard output zero or
240	more lines of authorized_keys output (see AUTHORIZED_KEYS in	252	more lines of authorized_keys output (see AUTHORIZED_KEYS in
241	.Xr sshd 8 ) .	253	.Xr sshd 8 ) .
242	If a key supplied by AuthorizedKeysCommand does not successfully authenticate	254	If a key supplied by AuthorizedKeysCommand does not successfully authenticate