Connection caching?
Darren Tucker
dtucker at zip.com.au
Sat May 8 20:43:31 EST 2004
David Woodhouse wrote:
> On Tue, 2004-05-04 at 14:36 +1000, Darren Tucker wrote:
>>I looked at it in conjunction with bug #701 (which is the
>>"PermitRootLogin without-password" thing). It occurred to me that a
>>more general mechanism could be a better solution for both. As usual, I
>>got sidetracked.
>
>
> More general would be good... what I need from it would be
> "First s/key, then either of password or pubkey"
I've been thinking about something like:
AuthenticationsForUser user authenticationlist [source pattern-list]
where authenticationlist is a comma-separated list in which you could
require multiple authentication with a "+".
For example, to require password and public-key, it would be:
AuthenticationsForUser joe password+public-key
Your example would be:
AuthenticationsForUser fred \
keyboard-interactive+public-key,keyboard-interactive+password
I'm not sure about including keyboard-interactive submethods (eg pam or
skey), but ignoring them would probably make implementation simpler (eg
you could represent the authentication methods as a simple bitmask).
There should probably be an equivalent AuthenticationsForGroup.
Of course, now that I've said this, someone will poke holes in it :-)
While we're at it, would it make sense to teach "pattern-list" stuff in
match.c to understand CIDR notation?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list