Bug 1409351 - [RFE] sshd_config option to export export principal which was used for .k5login
Summary: [RFE] sshd_config option to export export principal which was used for .k5login
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.4
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: BaseOS QE Security Team
Depends On:
Blocks: 1420851 1473733 1477664
TreeView+ depends on / blocked
Reported: 2017-01-01 06:03 UTC by Chinmay Paradkar
Modified: 2019-03-29 06:31 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1654830 (view as bug list)
Last Closed: 2019-02-11 15:39:20 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenSSH Project 2063 None None None 2019-07-23 21:45:10 UTC

Description Chinmay Paradkar 2017-01-01 06:03:42 UTC
Business Justification:
It would be nice to have information which principal was used for log in 
via .k5login.   Tools such as gitolite utilize the identity information provided by the login to further delegate specific rights.

Technical requirements:
Can a sshd_config option to export export principal which was used for .k5login be added?

Other information:
Upstream bug report with a few viable patches: https://bugzilla.mindrot.org/show_bug.cgi?id=2063  In particular comment#2 and the associated patch look to be exactly what should work here.

Comment 2 Jakub Jelen 2017-01-02 09:02:32 UTC
The patch looks good, but I would rather see it accepted upstream before adding another downstream patch to RHEL7.

Comment 3 Pat Riehecky 2017-02-14 16:29:14 UTC
It doesn't look like anyone upstream is assigned to shepherd the patch into the tree.

Comment 8 Simo Sorce 2019-02-11 15:39:20 UTC
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 12 Jakub Jelen 2019-03-06 08:52:17 UTC
RHEL7 already contains similar option ExposeAuthenticationMethods, which creates a similar variables SSH_USER_AUTH for PAM and user session if configured. Unfortunately, it is not completely backward compatible with the one in RHEL8, but it should do the job.

Note You need to log in before you can comment on or make changes to this bug.