[Bug 2358] New: allow sshd to "redirect" to another local user
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Feb 22 02:57:11 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2358
Bug ID: 2358
Summary: allow sshd to "redirect" to another local user
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: calestyo at scientia.net
Hi.
This request is very close to bug #2357, i.e. it could be very handy to
have it for "vhosting" like use cases in SSH, but I think it may also
be generally useful, which is why I filed it as a separate enhancement
request.
It would be nice if sshd could "redirect" a connection to user foo to
another local user bar, consider roughly the following sshd_config:
Match User foo
User bar
Let me bring again my git/gitolite use case as an example where this
could be helpful for vhosting:
Match User git LocalAddress 11.22.33.44
User git-a
Match User git LocalAddress 11.22.33.55
User git-b
So one would have e.g. two domains, pointing to different IPs, which
however both go to the same physical host (and thus sshd).
In that example it would be desired, that the two git/gitolites are
completely separate, i.e. no shared "usernames" (which they implement
via ssh keys), no shared repositories between the two domains and so
on.
Right now, one would need two different user accounts for this, and two
different git/gitolite installations.
But this in turn "breaks" the typical convention of using "git" as the
connecting username.
The above functionality would allow this, basically hiding that there
is actually another user, with different UID, home, etc. being used.
And restricted environments (like gitolite) would really hide this from
the user.
Another possible (non-vhosting related) use case could be that bigger
installations (in terms of users) give their users either aliases for
their logins (e.g. it's often the case that people have multiple email
addresses one being like "christoph.mitterer" and the other being the
account name like "cmitterer" - then people could log in with both)...
or temporary redirects in case the username is changed, e.g. one
marries and "cmitterer" would become "cmueller", then I could login for
a while with both (and especially all scripts/etc. where the name might
be hardcoded would continue to function for a while, till I migrated
them.
Admittedly, I haven't much thought about any possible security
implications of this - at least at a first glance I wouldn't see any.
Cheers,
Chris.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list