[Bug 1326] Allow non-public-key credentials in authorized_keys file ( Kerberos, etc.)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jun 29 08:06:53 EST 2007


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  2007-06-29 08:06:50 ---
(In reply to comment #0)
> At present, the ~/.ssh/authorized_keys file serves two functions:
>   - list RSA or DSA keys that are authorized as login credentials
>   - define policy restrictions (command=, from=, etc.) for each
> Unfortunately, all the wonderful policy restrictions that
> authorized_keys allows are currently only available for public-key
> authentication.

Actually that's no longer the case.  In the most recent versions, the
policy restrictions also available in sshd_config via Match,
ForceCommand, PermitOpen and so on.

You can implement some parts of your example with those, for example:

Match User gssapiuser Host *.blah.com
    GSSAPIAuthentication yes
    PasswordAuthentication yes
    ForceCommand /bin/helpdesk
Hatch User gssapiuser
    GSSAPIAuthentication no
    PasswordAuthentication no
    ForceCommand /bin/helpdesk

would allow the user "gssapiuser" to authenticate using gssapi or
password only from machines in the blah.com domain, and only allow them
to run the /bin/helpdesk program no matter how they authenticated.

Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list