Bugzilla – Full Text Bug Listing
| Summary: | Add support for 'authorized_keys' file to SSH console | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Eclipse Project] Equinox | Reporter: | Gunnar Wagenknecht <gunnar> | ||||
| Component: | Components | Assignee: | Lazar Kirchev <l.kirchev> | ||||
| Status: | RESOLVED FIXED | QA Contact: | |||||
| Severity: | enhancement | ||||||
| Priority: | P3 | CC: | l.kirchev, Mike_Wilson, pwebster, tjwatson | ||||
| Version: | 3.8.0 Juno | Flags: | l.kirchev:
iplog+
|
||||
| Target Milestone: | Juno M7 | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Attachments: |
|
||||||
|
Description
Gunnar Wagenknecht
I pushed the first attempt here: https://github.com/eclipseguru/rt.equinox.bundles/tree/ssh_authorized_keys If a system property 'ssh.server.authorized_keys' is specified it may point to a file which contains a list of keys that are allowed to connect to the SSH console. The file will be read every time a connection is made so that it can be modified dynamically at runtime. The commit to pull is: https://github.com/eclipseguru/rt.equinox.bundles/commit/c182c5bc903bb81e55b01d2797a9d70220dd24e2 I wrote all this code and have the rights to contribute it to Eclipse under the eclipse.org web site terms of use. (In reply to comment #2) > The commit to pull is: > https://github.com/eclipseguru/rt.equinox.bundles/commit/c182c5bc903bb81e55b01d2797a9d70220dd24e2 > > I wrote all this code and have the rights to contribute it to Eclipse under the > eclipse.org web site terms of use. Thanks a lot for the contribution, Gunnar! This certainly will make usage of the ssh easier. I just submitted it to the original project with commit http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/commit/?id=9feee7d4bc2425d1592b49ebd2d91f7964bc5c28 Could you also provide a test for the feature? Does this now allow login without the jaas stuff? (In reply to comment #4) > Does this now allow login without the jaas stuff? Yes. Currently it accepts anything as username as long as a matching SSH key is specified in the file. Lazar, I have two more commits which improve the extensibility of the SSH console. Any bundle (with sufficient permission) may provide an authenticator by registering an OSGi service. If no specific authorized_keys file is configured (via system property) the OSGi service registry will be searched for available authenticators. https://github.com/eclipseguru/rt.equinox.bundles/commit/ec7d1c4ae60bdf65ebd53596e8142a27b80c6da5 https://github.com/eclipseguru/rt.equinox.bundles/commit/193b9e948d8d2134bd62b24c751a62f714d8c4b5 Let me know if you have any questions. (In reply to comment #6) > Lazar, > > I have two more commits which improve the extensibility of the SSH console. > > Any bundle (with sufficient permission) may provide an authenticator by > registering an OSGi service. If no specific authorized_keys file is configured > (via system property) the OSGi service registry will be searched for available > authenticators. > > https://github.com/eclipseguru/rt.equinox.bundles/commit/ec7d1c4ae60bdf65ebd53596e8142a27b80c6da5 > https://github.com/eclipseguru/rt.equinox.bundles/commit/193b9e948d8d2134bd62b24c751a62f714d8c4b5 > > Let me know if you have any questions. Thanks Gunnar, Contribution submitted with commit http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/commit/?id=f8ceac0dbadd22dc7e587d0bc1cb0505e9fc4a93 Lazar Currently if no authorized_keys file is specified, the ssh console always searches for registered authenticator services for custom public keys authentication. I changed this behavior so that the console now searches for registered authenticator services only if explicitly specified by setting ssh.custom.publickeys.auth=true. Added with commit http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/commit/?id=b7f03fdfb8b04a9dbe8f40a7e7b5316b17c77801 (In reply to comment #8) > Currently if no authorized_keys file is specified, the ssh console always > searches for registered authenticator services for custom public keys > authentication. I changed this behavior so that the console now searches for > registered authenticator services only if explicitly specified by setting > ssh.custom.publickeys.auth=true. +1 The behavior doesn't need to be enabled by default. Having this optional is a good idea (as we discussed at EclipseCon). Created attachment 213730 [details]
Patch containing documentation for the fix.
(In reply to comment #10) > Created attachment 213730 [details] > Patch containing documentation for the fix. Tom, could you apply this documentation patch? (In reply to comment #11) > (In reply to comment #10) > > Created attachment 213730 [details] > > Patch containing documentation for the fix. > > Tom, could you apply this documentation patch? hmmm, unfortunately my id no longer can commit to this repo. I opened a bug with the foundation to get this fixed. (In reply to comment #11) > (In reply to comment #10) > > Created attachment 213730 [details] > > Patch containing documentation for the fix. > > Tom, could you apply this documentation patch? Done. http://git.eclipse.org/c/platform/eclipse.platform.common.git/commit/?id=a98ae21883ced8728a00619dfba38a0c89599543 Closing as fixed. |