AllowHosts / DenyHosts

Dan Kaminsky dankamin at cisco.com
Fri Mar 2 08:32:20 EST 2001


> i've gone over and over keynote notation/whatever you want to call it, and
> still can't understand it.  that doesn't mean that i don't think it's a good
> thing to have there if i want to learn and use it at some point in the
> future.

You want the feature--but cannot grok the syntax.  I don't think you're 
alone.

> 
> personally, i think it'd be great to be able to set options in sshd based on
> what user is logging in or what host they're logging in from or what key
> they're using to log in or any number of other things.  i was actually going
> to suggest/request something like that a couple days ago, but now that the
> opportunity and possibility of using someone else's code and not having to
> reinvent the wheel has come up, i think we should definitely grab it!

I don't like the concept of a huge barrier to entry in configuring SSH.  
I think we *all* agree it'd be good to be able to have more fine grained 
controls.  The disagreement comes in whether or not Keynote is an 
appropriate infrastructure for those controls.   I think its 
overcomplicated, too dangerous to use as an external 
library(consider--it needs the ability to view, and possibly change, all 
SSHD parameters dynamically), and unnecessary--we can get most of the 
gains of keynote by simply extending *slightly* on the work done in 
readconf.c.

There are things that are important--we should be able to switch on the 
criticals, like Who is coming from Where, *When*, maybe using What.  We 
can do this without Keynote--though please, if anyone can correct, do 
so!  If we can do without, do it safer, do it easier, do it arguably 
even faster...

Isn't that doing it right?

Yours Truly,

   Dan Kaminsky, CISSP
   www.doxpara.com






More information about the openssh-unix-dev mailing list