[Bug 1326] Allow non-public-key credentials in authorized_keys file ( Kerberos, etc.)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Jun 29 08:06:53 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1326
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2007-06-29 08:06:50 ---
(In reply to comment #0)
> At present, the ~/.ssh/authorized_keys file serves two functions:
>
> - list RSA or DSA keys that are authorized as login credentials
>
> - define policy restrictions (command=, from=, etc.) for each
>
> Unfortunately, all the wonderful policy restrictions that
> authorized_keys allows are currently only available for public-key
> authentication.
Actually that's no longer the case. In the most recent versions, the
policy restrictions also available in sshd_config via Match,
ForceCommand, PermitOpen and so on.
You can implement some parts of your example with those, for example:
Match User gssapiuser Host *.blah.com
GSSAPIAuthentication yes
PasswordAuthentication yes
ForceCommand /bin/helpdesk
Hatch User gssapiuser
GSSAPIAuthentication no
PasswordAuthentication no
ForceCommand /bin/helpdesk
would allow the user "gssapiuser" to authenticate using gssapi or
password only from machines in the blah.com domain, and only allow them
to run the /bin/helpdesk program no matter how they authenticated.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list