AllowHosts / DenyHosts
Markus Friedl
Markus.Friedl at informatik.uni-erlangen.de
Fri Mar 2 02:30:42 EST 2001
On Thu, Mar 01, 2001 at 07:17:34AM -0800, Dan Kaminsky wrote:
> > % cat /path/to/isakmpd.policy
> > Authorizer: "POLICY"
> > licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
> > Conditions: app_domain == "IPsec policy" &&
> > esp_auth_alg == "hmac-sha" &&
> > esp_present == "yes" -> "true";
> >
> > Authorizer: "POLICY"
> > Licensees: "passphrase:blafasel"
> > Conditions: app_domain == "IPsec policy" && esp_present == "yes"
> > && esp_enc_alg != "null" -> "true";
> >
> > and this is really simple.
>
> I believe it should be a federal offense to call anything related to IPSec
> "really simple".
you miss the point. the example is not about ipsec.
> Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
> ApplicationDomain "IPsec policy"
> EspAuthenticationAlgorithm hmac-sha
> EspRequired yes
this only works because the above example uses &&
> Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
> Host 129.210.*.*
this won't work with current ssh config.
> ApplicationDomain "IPsec policy"
> EspAuthenticationAlgorithm hmac-sha
> EspRequired yes
>
> [Licensees must be matched BEFORE conditions may be met; this way you can
> chain licensee requirements]
>
> > the parsing and eval is done by libkeynote, so all ssh has to
> > do is set the variables (e.g. remote_use, remote_ip, forward_target)
> > and call kn_query().
>
> Building library dependancies into SSH is a *really* tough sell.
if you want to have complex policies that you will depend on keynote.
if you don't need complex policies, then you don't need keynote.
-m
More information about the openssh-unix-dev
mailing list