AllowHosts / DenyHosts

Dan Kaminsky dankamin at
Fri Mar 2 02:17:34 EST 2001

> % cat /path/to/isakmpd.policy
> Authorizer: "POLICY"
> licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
> Conditions: app_domain == "IPsec policy" &&
>         esp_auth_alg == "hmac-sha" &&
>         esp_present == "yes" -> "true";
> Authorizer: "POLICY"
> Licensees: "passphrase:blafasel"
> Conditions: app_domain == "IPsec policy" && esp_present == "yes"
>         && esp_enc_alg != "null" -> "true";
> and this is really simple.

I believe it should be a federal offense to call anything related to IPSec
"really simple".


Once upon a time, I spec'd out a user interface component that was
essentially "taskbar sorted by application instead of by boot time, with
miniaturized images of windows replacing icons".  Called it minbars, wrapped
it in all this really funky set of UI widgets, and thus spoke what became a
semi-infamous line:  "Now, some documentation is necessary to understand
what you're seeing."

Considering this was a user interface component, that should theoretically
have been self-documenting, the idea that you had to be *told* what that
morass of pixels was; that you couldn't just *see* it, meant I had pretty
much lost any right to call what I had created "simple".

Half the reason I love SSH is because I don't get spontaneous nosebleeds
trying to configure it.  While there are many things we might be able to
learn from IPSec, I *assure* you its configuration burden is *not* one of

Even syntaxwise, our present system scales nicely to express the above rules
as follows:

Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
    ApplicationDomain "IPsec policy"
    EspAuthenticationAlgorithm hmac-sha
    EspRequired yes

Need to select on multiple?

Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
Host 129.210.*.*
    ApplicationDomain "IPsec policy"
    EspAuthenticationAlgorithm hmac-sha
    EspRequired yes

[Licensees must be matched BEFORE conditions may be met; this way you can
chain licensee requirements]

> the parsing and eval is done by libkeynote, so all ssh has to
> do is set the variables (e.g. remote_use, remote_ip, forward_target)
> and call kn_query().

Building library dependancies into SSH is a *really* tough sell.  I don't
*want* SSHD to blow up if libkeynote can't read something.

Show me some seriously cool things I'll be able to do with keynote, that I
*can't* do with our existing,
not-so-fugly-that-we-need-to-pawn-it-off-to-a-library servconf.c...and you
stand a good chance of converting me(for whatever that's worth).

Yours Truly,

    Dan Kaminsky, CISSP

More information about the openssh-unix-dev mailing list