Match and AuthorizedKeysFile, was Re: sshd config parser
J.S.Peatfield at damtp.cam.ac.uk
Sat Jan 24 14:55:11 EST 2009
I hope no-one minds me replying to such an old message... :-)
On Sun, 2 Apr 2006, Darren Tucker wrote:
> Hi All.
> Here's an updated patch. It's not actually as big as it looks as nearly
> half of it as adding a flag to the keyword struct and large comment.
> The supported Match directives are User, Group, Host and Address.
> The directives supported inside a Match block are:
> UsePAM, LoginGraceTime, PermitRootLogin, LogFacility,
> LogLevel, RhostsRSAAuthentication, HostbasedAuthentication,
> HostbasedUsesNameFromPacketOnly, RSAAuthentication, PubkeyAuthentication,
> PubkeyAuthentication, KerberosAuthentication, KerberosOrLocalPasswd,
> KerberosTicketCleanup, KerberosGetAFSToken, GssAuthentication,
> GssCleanupCreds, PasswordAuthentication, KbdInteractiveAuthentication,
> ChallengeResponseAuthentication, ChallengeResponseAuthentication,
> PrintMotd, PrintLastLog, IgnoreRhosts, IgnoreUserKnownHosts,
> X11Forwarding, X11DisplayOffset, X11UseLocalhost, XAuthLocation,
> StrictModes, PermitEmptyPasswd, PermitUserEnvironment, UseLogin,
> AllowTcpForwarding, GatewayPorts, MaxAuthTries, Banner,
> ClientAliveInterval, ClientAliveCountMax, AuthorizedKeysFile,
> AuthorizedKeysFile2, AcceptEnv, PermitTunnel
> (not all of those are tested, though)
I note AuthorizedKeysFile is listed.
I was just doing some testing of a system using a fairly freshly built
openssh-5.1p1 and started experimenting with Match options and found that
AuthorizedKeysFile is not allowed in a Match block - the struct keywords
entry for it contains SSHCFG_GLOBAL rather than SSHCFG_ALL so I didn't
look much further into the code.
Anyway I thought it *might* be useful to patch openssh to allow it to work
in a Match so first I checked back through old mail to the list first - in
case anyone had already suggested it - and found the info above from 2006.
If Match was originally going to allow this was it dropped because it
caused some problem or would adding it be lots of work?
On a slightly different matter has anyone already suggested adding Match
options to select on the address/hostname and/or port that the sshd
accepted the connection on?
I'm thinking of things like:
# connection to addresses connected to trusted networks
Match localaddress x.x.x.x x1.x1.x1.x1 127.0.0.1
# connection to a 'service' address
Match localaddress y.y.y.y
of course one can run different sshds with different setting for these
each listening on the relevant addresses/ports so it isn't exactly vital.
More information about the openssh-unix-dev