[Bug 1326] New: Allow non-public-key credentials in authorized_keys file ( Kerberos, etc.)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jun 29 07:12:40 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1326

           Summary: Allow non-public-key credentials in authorized_keys file
                    (Kerberos, etc.)
           Product: Portable OpenSSH
           Version: 4.4p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Kerberos support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: Markus.Kuhn at cl.cam.ac.uk


At present, the ~/.ssh/authorized_keys file serves two functions:

  - list RSA or DSA keys that are authorized as login credentials

  - define policy restrictions (command=, from=, etc.) for each

Unfortunately, all the wonderful policy restrictions that
authorized_keys allows are currently only available for public-key
authentication. It would be extremely useful, if authorized_keys
supported also other authentication methods supported by ssh, not just
just ssh-rsa and ssh-dsa, such that these can also be restricted with
policy options such as command, from, etc.

Most importantly, it should be possible to name and restrict a
GSSAPI/Kerberos principal in an authorized_keys file. Example:

from="*.bla.com" ssh-rsa AAAAB3NzaC1yc2EAAAA....
from="*.bla.com" ssh-gssapi johndoe at bla.com
from="*.bla.com" ssh-md5password fa45c39ad35d1efa635916459dac4bed
command="/bin/helpdesk" ssh-md5password 163fa56fade48646fa4562ecb6b7901

The authorized_keys file could even be renamed to
authorized_credentials, to reflect that it is a list of credentials
that are authorized for login, which includes, but is not restricted
to, RSA and DSA keys.

For Kerberos logins, the extended syntax of the authorized_keys file
that I propose would allow me to list authorized Kerberos principals
whose name is not identical to the local user name, just like there is
with RSA or DSA no need that the login names are identical on the ssh
client and server side.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list