Hi Andrew! Take a quick look at the signature for ServerConfig.PublicKeyCallback <https://godoc.org/golang.org/x/crypto/ssh#ServerConfig>:
PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, > error) As you already know, PublicKeyCallback allows you to indicate whether or not user authentication is successful by returning an error value. The other return argument, a pointer to a Permissions struct, actually addresses your use case. The Permissions <https://godoc.org/golang.org/x/crypto/ssh#Permissions> struct has CriticalOptions and Extensions properties which are both map[string]string and can be used to store arbitrary key-value pairs that are looked up during PublicKeyCallback. Traditionally, PublicKeyCallback would be used to lookup the key in an authorized_keys file for the user where it could potentially parse out other configuration values such as force-command or permit-X11-forwarding to modify how the application behaves when the user uses that specific key which would then be stored in the Permissions struct. In the same way, we can use the Permissions struct to pass arbitrary values based on a database lookup (or other mechanism) from the authentication phase to the application code. Once PublicKeyCallback successfully completes, the Permissions struct is made available as a property of the ServerConn <https://godoc.org/golang.org/x/crypto/ssh#ServerConn> struct returned by ssh.NewServerConn() for your application code to use. In your case, you could potentially perform your database lookup of the key during the PublicKeyCallback and store the resulting data (i.e. account_id, permission level, etc.) in the Permissions.Extensions map and reference those values via ServerConn.Permissions.Extensions in your application code. I hope that helps! Mark On Sun, Dec 18, 2016 at 5:22 AM <andrewchambe...@gmail.com> wrote: > I am trying to get access to get public key that was used to authenticate > an ssh connection (https://godoc.org/golang.org/x/crypto/ssh#ConnMetadata) > inside the PublicKeyCallback while handling a channel request. I want to be > able to accept the connection with any public key, but then control some > application level permissions based on this key later. Is this possible? > Currently it seems the only information you can access is the User name. > > I'm trying to create an auth system similar to github's ssh auth. I want > to allow anyone to ssh as a user like g...@github.com then do a database > lookup on the key that was used to auth later when it tries to access > something it might not have permission for. With the current API it seems > like its only possible to enable or disable permissions based on the > username, and not the key used. > > Thanks for any help > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
