OpenSSH - Central repository for "Match" rules
Jochen Bern
Jochen.Bern at binect.de
Fri Jun 14 18:59:26 AEST 2024
On 14.06.24 01:58, Damien Miller wrote:
> No, the command would run every ssh invocation
>
> On Thu, 13 Jun 2024, SCOTT FIELDS wrote:
>> Except you'd need to cycle SSHD to pickup any changes/updates.
>> ____________________________________________________________________________
>> From: Damien Miller <djm at mindrot.org>
>> Sent: Wednesday, June 12, 2024 9:28 PM
>> >> On Tue, 11 Jun 2024, SCOTT FIELDS wrote:
>>> Has there been discussion about implementing facilities with OpenSSH
>>> for having it pull "Match" rules from a central repository, namely
>>> LDAP or a RESTAPI service?
>>
>> You could probably hack something together using the exising ssh_config
>> "Match exec" and "Include" directives here. E.g.
>>
>> Match !final exec "~/bin/download-config-ephemeral"
>> Match any
>> Include ~/.ssh/config-ephemeral
Y'all might want to pinpoint whether you want to do that trickery in
someone's ~/.ssh/config, or /etc/ssh/sshd_config ...
(Though I have to say that in the latter case, getting sshd to re-eval
the repository after startup, even if it *is* something wholly designed
for on-demand eval like LDAP, might well result in "you *have* to
restart it frequently for that". Which is something ops should be less
than thrilled about, to put it mildly ...)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240614/7a7ceecd/attachment.p7s>
More information about the openssh-unix-dev
mailing list