From 93c8ede915030c697b9304d5bcd64c2bf58b068c Mon Sep 17 00:00:00 2001 From: "George V. Kouryachy (Fr. Br. George)" Date: Wed, 15 Jan 2014 16:21:22 +0400 Subject: [PATCH] export $SSH_AUTHKEY_FINGERPRINT --- dropbear/dropbear.8 | 12 ++++++++++-- dropbear/runopts.h | 1 + dropbear/session.h | 2 ++ dropbear/svr-authpubkey.c | 1 + dropbear/svr-chansession.c | 3 +++ dropbear/svr-runopts.c | 5 +++++ 6 files changed, 22 insertions(+), 2 deletions(-) diff --git a/dropbear/dropbear.8 b/dropbear/dropbear.8 index 032e4ce..e6f487e 100644 --- a/dropbear/dropbear.8 +++ b/dropbear/dropbear.8 @@ -71,6 +71,10 @@ Use this option to run under TCP/IP servers like inetd, tcpsvd, or tcpserver. In program mode the \-F option is implied, and \-p options are ignored. .TP +.B \-f +Upon succsessful public key authentication, +expose (via $SSH_AUTHKEY_FINGERPRINT) a fingerprint of the key just authenticated. +.TP .B \-P \fIpidfile Specify a pidfile to create when running as a daemon. If not specified, the default is /var/run/dropbear.pid @@ -175,7 +179,11 @@ in this variable. If a shell was requested this is set to an empty value. .TP .B SSH_AUTH_SOCK Set to a forwarded ssh-agent connection. - + +.TP +.B SSH_AUTHKEY_FINGERPRINT +When -f is used, set to a fingerprint of the succsessfully authenticated public key, if any. + .SH NOTES Dropbear only supports SSH protocol version 2. diff --git a/dropbear/runopts.h b/dropbear/runopts.h index 21fc8e5..77e7957 100644 --- a/dropbear/runopts.h +++ b/dropbear/runopts.h @@ -64,6 +64,7 @@ typedef struct svr_runopts { char * bannerfile; + int authkey_fp; int forkbg; int usingsyslog; diff --git a/dropbear/session.h b/dropbear/session.h index 91e306a..71224e6 100644 --- a/dropbear/session.h +++ b/dropbear/session.h @@ -154,6 +154,8 @@ struct sshsession { idle timeout purposes */ + /*G*//* exposing buffer(s)*/ + char *authkey_fp; /* sucsessful authentificated key fingerprint (if any)*/ /* KEX/encryption related */ struct KEXState kexstate; struct key_context *keys; diff --git a/dropbear/svr-authpubkey.c b/dropbear/svr-authpubkey.c index 66fe5e5..382bb29 100644 --- a/dropbear/svr-authpubkey.c +++ b/dropbear/svr-authpubkey.c @@ -137,6 +137,7 @@ void svr_auth_pubkey() { "Pubkey auth succeeded for '%s' with key %s from %s", ses.authstate.pw_name, fp, svr_ses.addrstring); send_msg_userauth_success(); + ses.authkey_fp=strdup(fp); } else { dropbear_log(LOG_WARNING, "Pubkey auth bad signature for '%s' with key %s from %s", diff --git a/dropbear/svr-chansession.c b/dropbear/svr-chansession.c index dd9ea02..fc3a875 100644 --- a/dropbear/svr-chansession.c +++ b/dropbear/svr-chansession.c @@ -917,6 +917,9 @@ static void execchild(void *user_data) { addnewvar("HOME", ses.authstate.pw_dir); addnewvar("SHELL", get_user_shell()); addnewvar("PATH", DEFAULT_PATH); + if(ses.authkey_fp !=NULL && svr_opts.authkey_fp) { + addnewvar("SSH_AUTHKEY_FINGERPRINT",ses.authkey_fp); + } if (chansess->term != NULL) { addnewvar("TERM", chansess->term); } diff --git a/dropbear/svr-runopts.c b/dropbear/svr-runopts.c index 414cb45..422b8c3 100644 --- a/dropbear/svr-runopts.c +++ b/dropbear/svr-runopts.c @@ -59,6 +59,7 @@ static void printhelp(const char * progname) { "-R Create hostkeys as required\n" #endif "-F Don't fork into background\n" + "-f Expose session fingerprint via $SSH_AUTHKEY_FINGERPRINT\n" #ifdef DISABLE_SYSLOG "(Syslog support not compiled in, using stderr)\n" #else @@ -123,6 +124,7 @@ void svr_getopts(int argc, char ** argv) { /* see printhelp() for options */ svr_opts.bannerfile = NULL; svr_opts.banner = NULL; + svr_opts.authkey_fp = 0; svr_opts.forkbg = 1; svr_opts.norootlogin = 0; svr_opts.noauthpass = 0; @@ -193,6 +195,9 @@ void svr_getopts(int argc, char ** argv) { case 'R': svr_opts.delay_hostkey = 1; break; + case 'f': + svr_opts.authkey_fp = 1; + break; case 'F': svr_opts.forkbg = 0; break; -- 1.8.3.4