sshd config parser
Darren Tucker
dtucker at zip.com.au
Thu Mar 30 00:18:04 EST 2006
Hi All.
For various reasons, we're currently looking at extending (or even
overhauling) the config parser used for sshd_config.
Right now the syntax I'm looking at is a cumulative "Match" keyword that
matches when all of the specified criteria are met. This would be
similar the the Host directive used in ssh_config, although it's still
limiting (eg you can't easily nest directives).
"Match" would be first-match, same as ssh_config. (I think this is
simpler for both implementation and configuration, but needs more
careful planning of the directives).
This would be especially useful with the RequiredAuthentications patch
in bugzilla, eg:
# allow anyone to authenticate normally from the local net
Match Address 192.168.0.0/24
RequiredAuthentications default
# allow admins from the dmz with pubkey and password
Match Group admins Address 1.2.3.0/24
RequiredAuthentications publickey,password
# deny untrusted and local users from any other net
Match Group untrusted,lusers
RequiredAuthentications deny
# anyone else gets normal behaviour
Match all
RequiredAuthentications default
There's also some potential for other things too:
Match User anoncvs
PermitTcpForwarding no
Match Group nosftp
Subsystem sftp /bin/false
Anyway, some food for thought.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list