dropbear icon indicating copy to clipboard operation
dropbear copied to clipboard

Published 20 hours ago verified publisher icon mkj

Add -U flag for customizing authorized keys file path

Open salva opened this issue 8 years ago • 1 comments

commit 078846b77790d30495b9b10106353e0fadca8207 Author: Salvador Fandino [email protected] Date: Thu Jun 9 16:00:37 2016 +0200

Allow authorized keys inside dirs with the sticky bit set

This allows one for instance, to run a temporary dropbear servers from
the /tmp directory, which is world writeable but has tipically the
sticky bit set.

commit 019747328ddd9c173ba5dcf8627680432bcdb156 Author: Salvador Fandino [email protected] Date: Wed Jun 8 18:15:13 2016 +0200

Add option -U for customizing authorized_keys path

This patch adds support for the new command line flag -U which allows
one to customize the location of the file containing the authorized
keys. This is usefull when running several unrelated and isolated SSH
services on one machine, using different sets of authentication keys.

The new -U flag accept both absolute and relative paths. When a
relative path is used it is appended to the user home directory.

Authentication fails when any intermediate directory between the user
home and the location of the file (both inclusive) is group or world
writeable.

When an absolute directory is given all the ancestor directories are
checked until some common parent between the authorized keys path and
the user home (up to the root directory) is reached.

For instance, if home is '/home/bar', and the authorized keys path
given is '/home/root/.ssh/authorized_keys', the objects checked are
'/home/root/.ssh/authorized_keys', '/home/root/.ssh', '/home/root'
and '/home'.

salva avatar Jun 09 '16 14:06 salva

@mkj did you have any thoughts on this?

Interest arises because we'd like to be able to run rootless with the following file locations set at compile time, using the same convention as DROPBEAR_DEFAULT_CLI_AUTHKEY; if not starting with '/', then is relative to $(whoami)'s $HOME) :

  • [x] *_PRIV_FILENAME
  • [x] DROPBEAR_PIDFILE (compiled default)
  • [x] SFTPSERVER_PATH

No reflection we don't need XDG knowledge built in. ~~Related and more general: It would be useful if the XDG convention shell environment variables were respected:~~

~~* ${XDG_CACHE_HOME}~~ ~~* ${XDG_CONFIG_HOME}~~ ~~* ${XDG_DATA_HOME}~~ ~~* ${XDG_RUNTIME_DIR}~~

~~Thoughts?~~

bbros-dev avatar Jul 08 '20 22:07 bbros-dev