AllowHosts / DenyHosts

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Fri Mar 2 03:49:14 EST 2001



Can we assume that if one does not need such functionality it will be 
simple enough to do a ./configure --without-keynotes?  From the sounds
of it the answer is yes.


- Ben

On Thu, 1 Mar 2001, Markus Friedl wrote:

> On Thu, Mar 01, 2001 at 07:17:34AM -0800, Dan Kaminsky wrote:
> > > % cat /path/to/isakmpd.policy
> > > Authorizer: "POLICY"
> > > licensees: "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
> > > Conditions: app_domain == "IPsec policy" &&
> > >         esp_auth_alg == "hmac-sha" &&
> > >         esp_present == "yes" -> "true";
> > >
> > > Authorizer: "POLICY"
> > > Licensees: "passphrase:blafasel"
> > > Conditions: app_domain == "IPsec policy" && esp_present == "yes"
> > >         && esp_enc_alg != "null" -> "true";
> > >
> > > and this is really simple.
> > 
> > I believe it should be a federal offense to call anything related to IPSec
> > "really simple".
> 
> you miss the point. the example is not about ipsec.
> 
> > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
> >     ApplicationDomain "IPsec policy"
> >     EspAuthenticationAlgorithm hmac-sha
> >     EspRequired yes
> 
> this only works because the above example uses &&
> 
> > Certificate "DN:/C=DE/ST=Germany/L=Munich/CN=MARKUS FRIEDL ROOT CERT KEY"
> > Host 129.210.*.*
> 
> this won't work with current ssh config.
> 
> >     ApplicationDomain "IPsec policy"
> >     EspAuthenticationAlgorithm hmac-sha
> >     EspRequired yes
> > 
> > [Licensees must be matched BEFORE conditions may be met; this way you can
> > chain licensee requirements]
> > 
> > > the parsing and eval is done by libkeynote, so all ssh has to
> > > do is set the variables (e.g. remote_use, remote_ip, forward_target)
> > > and call kn_query().
> > 
> > Building library dependancies into SSH is a *really* tough sell.
> 
> if you want to have complex policies that you will depend on keynote.
> 
> if you don't need complex policies, then you don't need keynote.
> 
> -m
> 






More information about the openssh-unix-dev mailing list