sshd config parser
Iain Morgan
imorgan at nas.nasa.gov
Thu Mar 30 05:01:38 EST 2006
This looks _VERY_ interesting. Good idea!
On Wed Mar 29 05:18:04 2006, Darren Tucker wrote:
>
> Hi All.
>
> For various reasons, we're currently looking at extending (or even
> overhauling) the config parser used for sshd_config.
>
> Right now the syntax I'm looking at is a cumulative "Match" keyword that
> matches when all of the specified criteria are met. This would be
> similar the the Host directive used in ssh_config, although it's still
> limiting (eg you can't easily nest directives).
>
> "Match" would be first-match, same as ssh_config. (I think this is
> simpler for both implementation and configuration, but needs more
> careful planning of the directives).
>
> This would be especially useful with the RequiredAuthentications patch
> in bugzilla, eg:
>
> # allow anyone to authenticate normally from the local net
> Match Address 192.168.0.0/24
> RequiredAuthentications default
>
> # allow admins from the dmz with pubkey and password
> Match Group admins Address 1.2.3.0/24
> RequiredAuthentications publickey,password
>
> # deny untrusted and local users from any other net
> Match Group untrusted,lusers
> RequiredAuthentications deny
>
> # anyone else gets normal behaviour
> Match all
> RequiredAuthentications default
>
> There's also some potential for other things too:
>
> Match User anoncvs
> PermitTcpForwarding no
>
> Match Group nosftp
> Subsystem sftp /bin/false
>
> Anyway, some food for thought.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Iain Morgan
More information about the openssh-unix-dev
mailing list