Re: [SSHD-11] Sharing data between the PublickeyAuthenticator and CommandFactory

[Shawn Pearce <so...@google.com>]

On Wed, Dec 31, 2008 at 08:30, Shawn Pearce <so...@google.com> wrote:

> In Gerrit2 I'm authenticating against SSH keys stored in a PostgreSQL
> database.  You can see the authenticator in question at [*1*].    What I
> really want to do is cache the database row's primary key into the
> ServerSession under an application specific attribute, then retrieve that
> back again later from my Command implementations.
>
> The reason I want to do that is I want to permit ambiguous usernames.
> Right now the username is a full email address, resulting in command lines
> like "ssh you@example.com@server.com".  I want to change the database
> query to match on the local-name part of the email, which may result in more
> than one account's keys being selected from the database if there are
> multiple users with the same local-name part, but different domains.  To
> keep it unambiguous once the authentication is complete, I need the Command
> to know the primary key of the row the authenticator matched.
>
> Yes, I realize I could just query the database for the normalized PublicKey
> encoding rather than by username (as they should be unique), but that still
> doesn't solve my problem of finding out exactly which Account entity that
> PublicKey was associated with inside of a Command implementation.  It also
> doesn't account for people who are still using keys created by the broken
> Debian ssh-keygen.  :-)
>
> SSHD-11 [*2*] proposes a patch to pass the ServerSession into the
> PublickeyAuthenticator, and adds an attribute map to the AbstractSession,
> making it possible for my DatabasePubKeyAuth implementation to store the
> primary key and my Command implementations (which are SessionAware) to pull
> it back out.
>
>
> *1*
> http://android.git.kernel.org/?p=tools/gerrit.git;a=blob;f=appjar/src/main/java/com/google/gerrit/server/ssh/DatabasePubKeyAuth.java;hb=gerrit2
> *2* https://issues.apache.org/jira/browse/SSHD-11
>


Any update about the patch I proposed in SSHD-11 (
https://issues.apache.org/jira/browse/SSHD-11)?

At this point Gerrit2 is very dependent upon its PublickeyAuthenticator and
its CommandFactory being able to share information beyond just the username
supplied by the SSH client.  I've had to import the SSHD project into Git
and start distributing a fork (
http://android.git.kernel.org/?p=tools/mina_sshd.git) so developers working
on Gerrit2 can sync to the same code tree and compile everything.

Gerrit2 is likely to go live this week.  I can't wait any longer for
upstream SSHD to get around to looking at issues.  I'd hate for this to be a
permanent fork in the project, but until something is available in upstream
to share data between the authenticator and the command factory, I have no
choice but to fork the code tree.