LPK integration - summary and ideas
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jun 10 01:14:43 EST 2010
On 06/09/2010 04:22 AM, Dan Kaminsky wrote:
> There's long history of using external commands as an extensibility point
> (ProxyCommand for example) and, if there was going to be any way of linking
> LDAP in, this would almost certainly be the best way.
I agree with Dan here. I'd rather see a general, out-of-process,
extensible framework put in place than see LPK integrated directly.
For the client side, something like KnownHostsCommand (by analogy with
KnownHostsFile) would be good. I've just opened a ticket describing a
simple outline for that enhancement:
https://bugzilla.mindrot.org/show_bug.cgi?id=1777
For the server side, it's a bit tricker to define an
AuthorizedKeysCommand (and to ensure that a blocked
AuthorizedKeysCommand does not hang the rest of the daemon), but it
would be useful too. I've opened a ticket describing that option as
well (but it's not as well fleshed-out):
https://bugzilla.mindrot.org/show_bug.cgi?id=1778
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100609/3a72194a/attachment.bin>
More information about the openssh-unix-dev
mailing list