sshd config parser
Senthil Kumar
senthilkumar_sen at hotpop.com
Sat Apr 1 22:53:01 EST 2006
Hi Darren,
This is what I need. I have filed an enhancement request for this at
http://bugzilla.mindrot.org/show_bug.cgi?id=1169
I would prefer to extend the current Host directive for this purpose.
Cheers,
Senthil Kumar.
----- Original Message -----
From: "Darren Tucker" <dtucker at zip.com.au>
To: "OpenSSH Devel List" <openssh-unix-dev at mindrot.org>
Sent: Wednesday, March 29, 2006 6:48 PM
Subject: sshd config parser
> Hi All.
>
> For various reasons, we're currently looking at extending (or even
> overhauling) the config parser used for sshd_config.
>
> Right now the syntax I'm looking at is a cumulative "Match" keyword that
> matches when all of the specified criteria are met. This would be
> similar the the Host directive used in ssh_config, although it's still
> limiting (eg you can't easily nest directives).
>
> "Match" would be first-match, same as ssh_config. (I think this is
> simpler for both implementation and configuration, but needs more
> careful planning of the directives).
>
> This would be especially useful with the RequiredAuthentications patch
> in bugzilla, eg:
>
> # allow anyone to authenticate normally from the local net
> Match Address 192.168.0.0/24
> RequiredAuthentications default
>
> # allow admins from the dmz with pubkey and password
> Match Group admins Address 1.2.3.0/24
> RequiredAuthentications publickey,password
>
> # deny untrusted and local users from any other net
> Match Group untrusted,lusers
> RequiredAuthentications deny
>
> # anyone else gets normal behaviour
> Match all
> RequiredAuthentications default
>
> There's also some potential for other things too:
>
> Match User anoncvs
> PermitTcpForwarding no
>
> Match Group nosftp
> Subsystem sftp /bin/false
>
> Anyway, some food for thought.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list