AllowHosts / DenyHosts
Markus Friedl
Markus.Friedl at informatik.uni-erlangen.de
Fri Mar 2 01:26:22 EST 2001
On Thu, Mar 01, 2001 at 03:30:42AM -0800, Dan Kaminsky wrote:
> A) Brain Dead Simple
Keynote is used in isakmpd (a IKE daemon for OpenBSD, Linux, etc)
and allows easy specification of policies, e.g.
% cat /path/to/isakmpd.policy
Authorizer: "POLICY"
licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
Conditions: app_domain == "IPsec policy" &&
esp_auth_alg == "hmac-sha" &&
esp_present == "yes" -> "true";
Authorizer: "POLICY"
Licensees: "passphrase:blafasel"
Conditions: app_domain == "IPsec policy" && esp_present == "yes"
&& esp_enc_alg != "null" -> "true";
and this is really simple.
So for openssh I'd like to have
a /etc/sshd_policy per system and a .ssh/policy per user.
> ...doesn't really seem like it'll gain alot of followers. I mean, I
> thoroughly grant you that I haven't examined Keynote nearly enough to
> dismiss it, and honestly am interested in what you think SSH would get out
> what might be a very significant amount of code.
the parsing and eval is done by libkeynote, so all ssh has to
do is set the variables (e.g. remote_use, remote_ip, forward_target)
and call kn_query().
-m
More information about the openssh-unix-dev
mailing list