AllowHosts / DenyHosts

Devon Bleak devon at admin2.gisnetworks.com
Fri Mar 2 04:26:53 EST 2001 

i really don't see where this thread is going (if it's not my place to make
this comment then please forgive me)...

if you don't want/trust/need keynote support, then don't compile it in
(although i haven't actually heard that this is going to be something you
can opt out of, most of the stuff like this in OpenSSH is, and i'm sure that
at this point in the game it wouldn't require much effort to make it so).
i've gone over and over keynote notation/whatever you want to call it, and
still can't understand it.  that doesn't mean that i don't think it's a good
thing to have there if i want to learn and use it at some point in the
future.

personally, i think it'd be great to be able to set options in sshd based on
what user is logging in or what host they're logging in from or what key
they're using to log in or any number of other things.  i was actually going
to suggest/request something like that a couple days ago, but now that the
opportunity and possibility of using someone else's code and not having to
reinvent the wheel has come up, i think we should definitely grab it!

devon


----- Original Message -----
From: "Dan Kaminsky" <dankamin at cisco.com>
To: "Markus Friedl" <Markus.Friedl at informatik.uni-erlangen.de>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Thursday, March 01, 2001 8:27 AM
Subject: Re: AllowHosts / DenyHosts


> > > So tell me some complex policies that would be useful, that require
> keynote.
> >
> > everything that requires some kind of hierarchy.
> >
> > everything that requires some kind of delegation.
>
> OK, I can see this being useful.  Lets explicitly create a suffix, "If",
> that matches any configuration option selectable by the opposite(could be
> client or server).
>
> ===
> IfHost 129.210.*.*
>    Ciphers blowfish-cbc
>
> IfCiphers blowfish-cbc
>    X11Forwarding no
> ===
>
> Want negation?
>
> ===
> IfHost not 129.210.*.*
>    Ciphers blowfish-cbc
>
> IfCiphers != blowfish-cbc
>    X11Forwarding no
> ===
>
> But still, give me a concrete example of something really cool we can do
> with Keynote that doesn't fit with trivial modifications to your existing
> very readable syntax.  Thus far, I just haven't seen anything that
justifies
> either the security risk or the difficulty in learning the syntax.
>
> Yours Truly,
>
>     Dan Kaminsky, CISSP
>     www.doxpara.com
>
>
>
>

More information about the openssh-unix-dev mailing list