AuthorizedKeysCommand support added
Damien Miller
djm at mindrot.org
Wed Oct 31 19:01:39 EST 2012
On Wed, 31 Oct 2012, Alex Bligh wrote:
>
> On 31 Oct 2012, at 00:16, Damien Miller wrote:
>
> > A facility like this grants a large opportunity to shoot oneself in
> > the foot
>
> One potential anti-foot-shooting-device would be a configurable
> regexp of usernames passed to such a command.
If you want to limit this to particular users, then you can do that
already using Match blocks.
Match group maybetrustworthy
AuthorizedKeysCommand /usr/libexec/authorized_keys_ldap
> Or have you by this time checked the username is in some way sane?
It is only invoked if the user actually has an account on the host, so
there is no risk of bad usernames percolating through to the helper.
-d
More information about the openssh-unix-dev
mailing list