diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-05-21 06:38:35 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-05-21 16:44:56 +1000 |
commit | 24232a3e5ab467678a86aa67968bbb915caffed4 (patch) | |
tree | e81f44adced3d0058b6b6e25ca8dc82a3a5db153 /sshd_config.5 | |
parent | d80fbe41a57c72420c87a628444da16d09d66ca7 (diff) |
upstream commit
support arguments to AuthorizedKeysCommand
bz#2081 loosely based on patch by Sami Hartikainen
feedback and ok markus@
Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 562dad356..e40ecedef 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.200 2015/04/29 03:48:56 dtucker Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.201 2015/05/21 06:38:35 djm Exp $ |
37 | .Dd $Mdocdate: April 29 2015 $ | 37 | .Dd $Mdocdate: May 21 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -234,9 +234,21 @@ The default is not to require multiple authentication; successful completion | |||
234 | of a single authentication method is sufficient. | 234 | of a single authentication method is sufficient. |
235 | .It Cm AuthorizedKeysCommand | 235 | .It Cm AuthorizedKeysCommand |
236 | Specifies a program to be used to look up the user's public keys. | 236 | Specifies a program to be used to look up the user's public keys. |
237 | The program must be owned by root and not writable by group or others. | 237 | The program must be owned by root, not writable by group or others and |
238 | It will be invoked with a single argument of the username | 238 | specified by an absolute path. |
239 | being authenticated, and should produce on standard output zero or | 239 | .Pp |
240 | Arguments to | ||
241 | .Cm AuthorizedKeysCommand | ||
242 | may be provided using the following tokens, which will be expanded | ||
243 | at runtime: %% is replaced by a literal '%', %u is replaced by the | ||
244 | username being authenticated, %h is replaced by the home directory | ||
245 | of the user being authenticated, %t is replaced with the key type | ||
246 | offered for authentication, %f is replaced with the fingerprint of | ||
247 | the key, and %k is replaced with the key being offered for authentication. | ||
248 | If no arguments are specified then the username of the target user | ||
249 | will be supplied. | ||
250 | .Pp | ||
251 | The program should produce on standard output zero or | ||
240 | more lines of authorized_keys output (see AUTHORIZED_KEYS in | 252 | more lines of authorized_keys output (see AUTHORIZED_KEYS in |
241 | .Xr sshd 8 ) . | 253 | .Xr sshd 8 ) . |
242 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate | 254 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate |