AllowHosts / DenyHosts

Markus Friedl Markus.Friedl at
Fri Mar 2 01:26:22 EST 2001

On Thu, Mar 01, 2001 at 03:30:42AM -0800, Dan Kaminsky wrote:
> A) Brain Dead Simple

Keynote is used in isakmpd (a IKE daemon for OpenBSD, Linux, etc)
and allows easy specification of policies, e.g.

% cat /path/to/isakmpd.policy
Authorizer: "POLICY"
licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
Conditions: app_domain == "IPsec policy" &&
        esp_auth_alg == "hmac-sha" &&
        esp_present == "yes" -> "true";

Authorizer: "POLICY"
Licensees: "passphrase:blafasel"
Conditions: app_domain == "IPsec policy" && esp_present == "yes"
        && esp_enc_alg != "null" -> "true";

and this is really simple.

So for openssh I'd like to have
a /etc/sshd_policy per system and a .ssh/policy per user.

> ...doesn't really seem like it'll gain alot of followers.  I mean, I
> thoroughly grant you that I haven't examined Keynote nearly enough to
> dismiss it, and honestly am interested in what you think SSH would get out
> what might be a very significant amount of code.

the parsing and eval is done by libkeynote, so all ssh has to
do is set the variables (e.g. remote_use, remote_ip, forward_target)
and call kn_query().


More information about the openssh-unix-dev mailing list