Stay hungry,Stay foolish

0%

openssh AuthorizedKeysCommand使用样例

关于AuthorizedKeysCommand

man sshd_config

服务端配置,用来通过脚本查找用户的公钥

公钥通过标准输出打印,输出需要符合AUTHORIZED_KEYS格式规范: options,key-type,base64-encoded key,comment

最简单的测试

备份公钥存储文件

1
mv ${HOME}.ssh/authorized_keys ${HOME}.ssh/authorized_keys.bak

准备一个/usr/local/etc/test.sh,用来输出公钥

1
2
3
#!/bin/bash

cat ${HOME}.ssh/authorized_keys.bak

变更sshd_config配置并重启sshd服务(同时可以调整日志级别,用来日志查看和验证)

1
2
AuthorizedKeysCommand /usr/local/etc/test.sh
AuthorizedKeysCommandUser root

新建ssh链接测试

auth.log

1
2
3
4
Dec 29 02:13:04 localvm sshd[30468]: debug1: /usr/local/etc/test.sh:1: matching key found: RSA SHA256:wbzp2QGD7AsFUj8R5rXZCFEnzsq7sJX4nwxtA9yrLQQ
Dec 29 02:13:04 localvm sshd[30468]: debug1: /usr/local/etc/test.sh:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Dec 29 02:13:04 localvm sshd[30468]: Accepted key RSA SHA256:wbzp2QGD7AsFUj8R5rXZCFEnzsq7sJX4nwxtA9yrLQQ found at /usr/local/etc/test.sh:1
... ...

查找脚本支持的tokens

AuthorizedKeysCommand 指定的脚本可接受的tokens %%, %f, %h, %k, %t, and %u

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
TOKENS
Arguments to some keywords can make use of tokens, which are expanded at runtime:

%% A literal ‘%’.
%F The fingerprint of the CA key.
%f The fingerprint of the key or certificate.
%h The home directory of the user.
%i The key ID in the certificate.
%K The base64-encoded CA key.
%k The base64-encoded key or certificate for authentication.
%s The serial number of the certificate.
%T The type of the CA key.
%t The key or certificate type.
%u The username.

AuthorizedKeysCommand accepts the tokens %%, %f, %h, %k, %t, and %u.

测试样例:

修改sshd_config

1
2
AuthorizedKeysCommand /usr/local/etc/test.sh %t %k %f %u %h
AuthorizedKeysCommandUser root

修改/usr/local/etc/test.sh如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/bash

__KEYTYPE=$1
__KEY=$2
__FINGER=$3
__USER=$4
__HOME=$5
echo "__KEYTYPE:$__KEYTYPE" > /tmp/test1
echo "__KEY:$__KEY" >> /tmp/test1
echo "__FINGER:$__FINGER" >> /tmp/test1
echo "__USER:$__USER" >> /tmp/test1
echo "__HOME:$__HOME" >> /tmp/test1

cat ${HOME}/.ssh/authorized_keys.bak

重启sshd服务并新建登录查看

cat /tmp/test1

1
2
3
4
5
6
localvm ~ # cat /tmp/test1
__KEYTYPE:ssh-rsa
__KEY:AAAAB3NzaC2yc2EAAAABJQAAAIEAgnr3kLfKJZEkB1J7I4TsSeU+Wbxbsymd9cGsC6mx2fGeL5RGquALx2EId9ArU+puPNatC6TgxOQ/KCegQ0fnlRJdbWydLl//BQK4Vif+vf1FSp+3sgp1jtbF90L7TrcOtgx/G3+3Ejz4CTOcUNleGYX82BTKA46mkNwwwApgXEc=
__FINGER:SHA256:wbzp2QGD7AsFUj8R5rXZCFEnzsq7sJX4nwxtA9yrLWW
__USER:root
__HOME:/root

在脚本中可以通过tokens作一定逻辑处理

1
2
3
4
5
6
7
8
case "$1" in 
testuser)
curl ... ...
;;
*)
cat ${HOME}/.ssh/test
;;
esac

  • AuthorizedKeysFile AuthorizedKeysCommand 验证顺序可能会有不同
  • man 手册在最新版本V8中有滞后
1
2
3
4
5
6
7
8
9
10
commit 44ae009a0112081d0d541aeaa90088bedb6f21ce
Author: djm@openbsd.org <djm@openbsd.org>
Date: Fri Apr 17 04:27:03 2020 +0000

upstream: auth2-pubkey r1.89 changed the order of operations to

checking AuthorizedKeysFile first and falling back to AuthorizedKeysCommand
if no key was found in a file. Document this order here; bz3134

OpenBSD-Commit-ID: afce0872cbfcfc1d4910ad7722e50f792a1dce12

git tag –contains ‘44ae009a0112081d0d541aeaa90088bedb6f21ce’

1
2
V_8_3_P1
V_8_4_P1