diff options
-rw-r--r-- | auth2-pubkey.c | 6 | ||||
-rw-r--r-- | sshd_config.5 | 18 |
2 files changed, 15 insertions, 9 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index a08354c7e..cc5466613 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.57 2016/09/14 20:11:26 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.58 2016/09/21 01:34:45 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -639,6 +639,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) | |||
639 | pid_t pid; | 639 | pid_t pid; |
640 | char *tmp, *username = NULL, *command = NULL, **av = NULL; | 640 | char *tmp, *username = NULL, *command = NULL, **av = NULL; |
641 | char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; | 641 | char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; |
642 | char serial_s[16]; | ||
642 | void (*osigchld)(int); | 643 | void (*osigchld)(int); |
643 | 644 | ||
644 | if (options.authorized_principals_command == NULL) | 645 | if (options.authorized_principals_command == NULL) |
@@ -694,6 +695,7 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) | |||
694 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); | 695 | error("%s: sshkey_to_base64 failed: %s", __func__, ssh_err(r)); |
695 | goto out; | 696 | goto out; |
696 | } | 697 | } |
698 | snprintf(serial_s, sizeof(serial_s), "%llu", cert->serial); | ||
697 | for (i = 1; i < ac; i++) { | 699 | for (i = 1; i < ac; i++) { |
698 | tmp = percent_expand(av[i], | 700 | tmp = percent_expand(av[i], |
699 | "u", user_pw->pw_name, | 701 | "u", user_pw->pw_name, |
@@ -704,6 +706,8 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) | |||
704 | "F", ca_fp, | 706 | "F", ca_fp, |
705 | "k", keytext, | 707 | "k", keytext, |
706 | "K", catext, | 708 | "K", catext, |
709 | "i", cert->key_id, | ||
710 | "s", serial_s, | ||
707 | (char *)NULL); | 711 | (char *)NULL); |
708 | if (tmp == NULL) | 712 | if (tmp == NULL) |
709 | fatal("%s: percent_expand failed", __func__); | 713 | fatal("%s: percent_expand failed", __func__); |
diff --git a/sshd_config.5 b/sshd_config.5 index 9e96acf39..dd94b4801 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.232 2016/09/14 05:42:25 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.233 2016/09/21 01:34:45 djm Exp $ |
37 | .Dd $Mdocdate: September 14 2016 $ | 37 | .Dd $Mdocdate: September 21 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -306,14 +306,16 @@ Arguments to | |||
306 | may be provided using the following tokens, which will be expanded | 306 | may be provided using the following tokens, which will be expanded |
307 | at runtime: | 307 | at runtime: |
308 | %% is replaced by a literal '%', | 308 | %% is replaced by a literal '%', |
309 | %u is replaced by the username being authenticated, | ||
310 | %h is replaced by the home directory of the user being authenticated, | ||
311 | %t is replaced with type of the certificate being offered, | ||
312 | %T with the type of the CA key, | ||
313 | %f is replaced with certificate fingerprint, | ||
314 | %F with the fingerprint of the CA key, | 309 | %F with the fingerprint of the CA key, |
315 | %k is replaced with the full base-64 encoded certificate and | 310 | %f is replaced with certificate fingerprint, |
316 | %K is replaced with the base-64 encoded CA key. | 311 | %K is replaced with the base-64 encoded CA key. |
312 | %k is replaced with the full base-64 encoded certificate, | ||
313 | %h is replaced with the home directory of the user being authenticated, | ||
314 | %i is replaced with key ID in the certificate, | ||
315 | %s is replaced with the serial number of the certificate, | ||
316 | %T with the type of the CA key, | ||
317 | %t is replaced with type of the certificate being offered, and | ||
318 | %u is replaced by the username being authenticated, | ||
317 | If no arguments are specified then the username of the target user | 319 | If no arguments are specified then the username of the target user |
318 | will be supplied. | 320 | will be supplied. |
319 | .Pp | 321 | .Pp |