Bug 1409351

Summary: [RFE] sshd_config option to export export principal which was used for .k5login
Product: Red Hat Enterprise Linux 7 Reporter: Chinmay Paradkar <cparadka>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: cparadka, cww, jjelen, kludhwan, mgrepl, nmavrogi, rharwood, riehecky, szidek
Target Milestone: rcKeywords: FutureFeature, Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1654830 (view as bug list) Environment:
Last Closed: 2019-02-11 15:39:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851, 1473733, 1477664    

Description Chinmay Paradkar 2017-01-01 06:03:42 UTC 
Business Justification:
It would be nice to have information which principal was used for log in 
via .k5login.   Tools such as gitolite utilize the identity information provided by the login to further delegate specific rights.

Technical requirements:
Can a sshd_config option to export export principal which was used for .k5login be added?

Other information:
Upstream bug report with a few viable patches: https://bugzilla.mindrot.org/show_bug.cgi?id=2063  In particular comment#2 and the associated patch look to be exactly what should work here.
Comment 2 Jakub Jelen 2017-01-02 09:02:32 UTC 
The patch looks good, but I would rather see it accepted upstream before adding another downstream patch to RHEL7.
Comment 3 Pat Riehecky 2017-02-14 16:29:14 UTC 
It doesn't look like anyone upstream is assigned to shepherd the patch into the tree.
Comment 8 Simo Sorce 2019-02-11 15:39:20 UTC 
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Comment 12 Jakub Jelen 2019-03-06 08:52:17 UTC 
RHEL7 already contains similar option ExposeAuthenticationMethods, which creates a similar variables SSH_USER_AUTH for PAM and user session if configured. Unfortunately, it is not completely backward compatible with the one in RHEL8, but it should do the job.