[openssh-commits] [openssh] 06/17: upstream: ssh-add side of destination constraints

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Dec 20 09:28:31 AEDT 2021


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit ce943912df812c573a33d00bf9e5435b7fcca3f7
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Dec 19 22:11:06 2021 +0000

    upstream: ssh-add side of destination constraints
    
    Have ssh-add accept a list of "destination constraints" that allow
    restricting where keys may be used in conjunction with a ssh-agent/ssh
    that supports session ID/hostkey binding.
    
    Constraints are specified as either "[user@]host-pattern" or
    "host-pattern>[user@]host-pattern".
    
    The first form permits a key to be used to authenticate as the
    specified user to the specified host.
    
    The second form permits a key that has previously been permitted
    for use at a host to be available via a forwarded agent to an
    additional host.
    
    For example, constraining a key with "user1 at host_a" and
    "host_a>host_b". Would permit authentication as "user1" at
    "host_a", and allow the key to be available on an agent forwarded
    to "host_a" only for authentication to "host_b". The key would not
    be visible on agent forwarded to other hosts or usable for
    authentication there.
    
    Internally, destination constraints use host keys to identify hosts.
    The host patterns are used to obtain lists of host keys for that
    destination that are communicated to the agent. The user/hostkeys are
    encoded using a new restrict-destination-v00 at openssh.com key
    constraint.
    
    host keys are looked up in the default client user/system known_hosts
    files. It is possible to override this set on the command-line.
    
    feedback Jann Horn & markus@
    ok markus@
    
    OpenBSD-Commit-ID: 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5
---
 .skipped-commit-ids | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.skipped-commit-ids b/.skipped-commit-ids
index 1de78172..c606eaee 100644
--- a/.skipped-commit-ids
+++ b/.skipped-commit-ids
@@ -23,6 +23,7 @@ d9b910e412d139141b072a905e66714870c38ac0	Makefile.inc
 07b5031e9f49f2b69ac5e85b8da4fc9e393992a0	Makefile.inc
 cc12a9029833d222043aecd252d654965c351a69	moduli-gen Makefile
 7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b	moduli update
+6b52cd2b637f3d29ef543f0ce532a2bce6d86af5	makefile change
 
 Old upstream tree:
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list