[Bug 2696] New: Allow to restrict access to service using authentication indicators

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Mar 22 01:12:40 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2696

            Bug ID: 2696
           Summary: Allow to restrict access to service using
                    authentication indicators
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Keywords: patch
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2965
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2965&action=edit
allow specify auth-indicators

Kerberos 1.14 introduced authentication indicators [1], which allows us
to distinguish methods used to acquire specific kerberos token.

This policy can be specified either on the KDC side (you will not be
granted a ticket for SSH service) or on the side of service (as
implemented here).

The authentication indicators are exposed to the service as a named
attributes and therefore simply accessible. This change also implements
new configuration option GSSAPIRequiredAuthIndicators which allows to
specify space separated list of indicators that are eligible to access
this service.

[1] https://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list