[Bug 78] New: Support use of named (krb4, krb5, gsi, x.509) keys in auth_keys entries

[bugzilla-daemon at mindrot.org]

http://bugzilla.mindrot.org/show_bug.cgi?id=78

           Summary: Support use of named (krb4, krb5, gsi, x.509) keys in
                    auth_keys entries
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: All
               URL: http://marc.theaimsgroup.com/?l=openssh-unix-
                    dev&m=101189381805982&w=2
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: Nicolas.Williams at ubsw.com
                CC: openssh-unix-dev at mindrot.org


This patch adds support for entries in authorized_keys which reference
Kerberos principal names, GSI/X.509 certificate names when doing Kerberos
or GSS authentication. Also included is support for authorized_keys
entries which are patterns matching such names. Also included is support
for a new authorized_keys entry option, "deny-access." With this patch sshd
also sets environment variables to indicate the client's authenticated name,
if a named authorized_keys entry matches.

These simple features simplify key management and authorized_keys file
management in environments where Kerberos or GSI are in use with OpenSSH
(see Simon Wilkinson's patch to OpenSSH that implements the gsskeyex
draft). These features represent a much more general authorization system
for Kerberos than .klogin or .k5login, and apply to other authentication
mechanisms as well (again, GSI/X.509, and, in the future, when direct
X.509 support is added to OpenSSH, x.509).

These features, or a variation thereof, in OpenSSH, would be greatly
appreciated.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are on the CC list for the bug, or are watching someone who is.