Better Public Key Authentication

[WanzenBug]

Recently openssh received a patch enabling a more flexible use of the AuthorizedKeysCommand option (see this link )

With this option the PublicKey of a user could be stored in a database, indexed by its fingerprint. Not only is this system infinitly more scalable than simply dumping the key into a file, it also enables simple key management on a user to user basis.

[lorenzleutgeb]

Great find, thanks!

Note to self: The important change here is that previous versions only passed the username of the authenticating user to the script set as AuthorizedKeysCommand (we would still have to return all the keys, because everybody logs in as git@...), whereas newer versions understand a format string that can be used to pass the fingerprint alongside the username to enable a lookup.

A reasonable thing to do would be

AuthorizedKeysCommand "%u %f"

#!/bin/bash
# only allow git to be authenticated
if [ "$1" != "git" ]
        exit 1
fi
# retrieve the keys and usernames from Datastore by looking up the fingerprint
# practically there will always be only one matching key,
# but theoretically, fingerprints can collide
key-lookup $2 | while read pair
do
        read name key <<< $pair
        echo "environment=\"GITHUB_USERNAME=$name\" $key"
done