[PATCH] Public keys options

Frédéric Moulins ffrrrr at gmail.com
Fri May 30 06:21:45 WST 2008 

Hello,

please find attached a patch against dropbear-0.51 adding support to
the following public key options in authorized_keys file
(ENABLE_SVR_PUBKEY_OPTIONS) :
* no-port-forwarding
* no-agent-forwarding
* no-X11-forwarding
* no-pty
* command

When the option ENABLE_SVR_PUBKEY_OPTIONS is not defined, options are
just ignored.

Parsing code of options string comes from OpenSSH. 

I couldn't really test the option no-agent-forwarding, I hope it is
correct. It is very similar to the no-X11-forwarding option.

Regards


fred


On Mon, 26 May 2008 08:54:46 +0200
Frédéric Moulins <ffrrrr at gmail.com> wrote:

> Hello,
> 
> please find attached a new patch allowing to use the 'command' option
> with public keys in authorized_keys file. 
> 
> This patch include the one from my previous email :
> On Sun, 25 May 2008 11:50:29 +0200
> Frédéric Moulins <ffrrrr at gmail.com> wrote:
> 
> > Hello,
> > 
> > the following patch allow to skip options of public keys in
> > authorized_keys file.
> > 
> > authorized_keys file still must respect :
> > * no whitespace at the begining of a line.
> > * only one space or tab character between options and algorithm
> > type.
> > 
> > Code has been copied and adapted from OpenSSH function
> > user_key_allowed2 in auth2-pubkey.c.
> > 
> 
> A PubKeyOptions structure is declared in auth.h. It contains the
> same parameters used in OpenSSH that I commented out except
> 'forced_command' that is used. This structure is used under
> ses.authstate.
> 
> A new function 'addpubkeyoptions' in svr-authpubkey.c parse,  validate
> and set options in the session structure. Code has been copied and
> adapted from the parsing function in OpenSSH. It only parses the
> 'command' option for the moment. Any other option will be taken as bad
> option and invalidate the key. In order to add support for other
> options, you can copy and slightly adapt (mallocS, freeS and gotoS)
> chunks of parsing code from OpenSSH function auth_parse_options in
> auth-options.c.
> 
> What do you think of it ? 
> Any feedback or suggestions is welcome (malloc/free, structures,
> corner cases,...).
> 
> 
> fred
> 
> PS : patch is still against dropbear-0.50. Tell me if you prefer a
> patch against the latest development version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pubkey_options-dropbear-0.51.patch
Type: text/x-patch
Size: 12113 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080530/49b3a91b/attachment.bin

More information about the Dropbear mailing list