[Bug 3440] New: RFE: be able to use "Match exec" on SSHD server side

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jun 3 21:02:48 AEST 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3440

            Bug ID: 3440
           Summary: RFE: be able to use "Match exec" on SSHD server side
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rmetrich at redhat.com

We have customers at Red Hat wanting to have a different SSHD
configuration snippet based on user's name (e.g. to force
keyboard-interactive authentication when user is "LLNNNNN" (L = letter,
N = digit)).

The "User" token pattern matching isn't smart enough to filter this
kind of "LLNNNNN" pattern.

IMHO this requires having the possibility to use the "exec" token in
Match stanza on the server side, but this isn't possible for now:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
--------
Match   Introduces a conditional block. [...]

             The arguments to Match are one or more criteria-pattern
pairs or the single token All which matches
             all criteria.  The available criteria are User, Group,
Host, LocalAddress, LocalPort, RDomain, and
             Address (with RDomain representing the rdomain(4) on which
the connection was received).
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
--------

Allowing the use of "exec" would enable having tons of customizations
possible.

Additionally there is no simple workaround available for now, it
requires having multiple SSHD instances, one for "normal users" and one
for "LLNNNNN" users, but this isn't enough, it also requires crafting a
PAM module to prohibit the "LLNNNNN" users from connecting through the
"normal users" instance, which makes the workaround difficult to
implement.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list