3.01 KB
Newer Older
Scott Duckworth committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
django-sshkey lets you use a patched OpenSSH server to authenticate incoming
SSH connections via public key authentication and identify the Django User that
owns that key.

# The OpenSSH Patch

At the top level of this repository is a patch for OpenSSH 6.2p2 which modifies
the AuthorizedKeysCommand config option so that the incoming SSH public key is
passed to the command via standard input.  The incoming username will still be
passed as the first argument to the specified command.

# The Django app

The Django app is located in the sshkey directory at the top level of this
repository.  You should point Django to it in your project's or
copy it into your project's directory.

In order to associate an incoming public key with a user you must define
19 20 21
SSHKEY\_AUTHORIZED\_KEYS\_OPTIONS in your project's  This should
be a string containing options accepted by sshd, with "{username}" being
replaced with the username of the user associated with the incoming public key.
Scott Duckworth committed
22 23

For instance:

> SSHKEY\_AUTHORIZED\_KEYS\_OPTIONS = 'command="my-command {username}",no-pty'

Scott Duckworth committed
27 28
in will cause keys produced by the below commands to look similar

> command="my-command fred",no-pty ssh-rsa BLAHBLAHBLAH
31 32

assuming the key "BLAHBLAHBLAH" is owned by fred.
Scott Duckworth committed
33 34 35 36 37 38

## URL Configuration

This text assumes that your Django project's maps sshkey.urls into the
url namespace as follows:

39 40 41 42 43
> urlpatterns = patterns('',
>   ...
>   url('^sshkey/', include(sshkey.urls)),
>   ...
> )
Scott Duckworth committed
44 45 46 47 48 49 50 51 52 53

You will need to adjust your URLs if you use a different mapping.

# Tying OpenSSH's AuthorizedKeysCommand to the sshkey Django app

There are three provided ways of connecting AuthorizedKeysCommand to Django.
In all cases it is recommended and/or required that the command specified with
AuthorizedKeysCommand be a shell script that is owned by and only writable by
root which invokes one of the commands below:

## Using
Scott Duckworth committed

Scott Duckworth committed
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

URL should be the full URL to /sshkey/lookup on your Django web server running
the sshkey app.

If USERNAME is specified, lookup keys owned by that user and print them to
standard output. Any standard input is ignored.

If USERNAME is not specified, the incoming public key should be provided on
standard input; if the key is found it is printed to standard output.

This command assumes that some fairly standard commands, like ssh-keygen and
curl, are found in $PATH.

This is generally the fastest method.

72 73 74
## Using

Scott Duckworth committed
75 76 77 78

Same as above, but it's all written in Python and doesn't rely on external

79 80
The parent directory of the sshkey app must be in PYTHONPATH.

Scott Duckworth committed
81 82
This is generally the second fastest method.

## Using sshkey\_authorized\_keys\_command
Scott Duckworth committed

*Usage: PATH\_TO\_DJANGO\_PROJECT/ sshkey\_authorized\_keys\_command [USERNAME]*
Scott Duckworth committed
86 87 88 89 90 91 92

Same semantics for USERNAME as above.

This method does not rely on the /sshkey/lookup URL, and instead creates its
own database connection each time it is invoked.

This is generally the slowest method.