[openssh-commits] CVS: fuyu.mindrot.org: openssh

[Damien Miller]

CVSROOT:        /var/cvs
Module name:    openssh
Changes by:     djm at fuyu.mindrot.org 10/05/10 11:58:04

Modified files:
    .               : ChangeLog auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c key.c servconf.c servconf.h sshd.8 sshd_config.5

Log message:
   - djm at cvs.openbsd.org 2010/05/07 11:30:30
     [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
     [key.c servconf.c servconf.h sshd.8 sshd_config.5]
     add some optional indirection to matching of principal names listed
     in certificates. Currently, a certificate must include the a user's name
     to be accepted for authentication. This change adds the ability to
     specify a list of certificate principal names that are acceptable.
     
     When authenticating using a CA trusted through ~/.ssh/authorized_keys,
     this adds a new principals="name1[,name2,...]" key option.
     
     For CAs listed through sshd_config's TrustedCAKeys option, a new config
     option "AuthorizedPrincipalsFile" specifies a per-user file containing
     the list of acceptable names.
     
     If either option is absent, the current behaviour of requiring the
     username to appear in principals continues to apply.
     
     These options are useful for role accounts, disjoint account namespaces
     and "user at realm"-style naming policies in certificates.
     
     feedback and ok markus@

Diff commands:
cvs -nQq rdiff -u -r1.5570 -r1.5571 openssh/ChangeLog
cvs -nQq rdiff -u -r1.49 -r1.50 openssh/auth-options.c
cvs -nQq rdiff -u -r1.17 -r1.18 openssh/auth-options.h
cvs -nQq rdiff -u -r1.140 -r1.141 openssh/auth.c
cvs -nQq rdiff -u -r1.83 -r1.84 openssh/auth.h
cvs -nQq rdiff -u -r1.25 -r1.26 openssh/auth2-pubkey.c
cvs -nQq rdiff -u -r1.90 -r1.91 openssh/key.c
cvs -nQq rdiff -u -r1.202 -r1.203 openssh/servconf.c
cvs -nQq rdiff -u -r1.84 -r1.85 openssh/servconf.h
cvs -nQq rdiff -u -r1.216 -r1.217 openssh/sshd.8
cvs -nQq rdiff -u -r1.127 -r1.128 openssh/sshd_config.5

ViewVC:
http://anoncvs.mindrot.org/index.cgi/openssh/ChangeLog?r1=1.5570;r2=1.5571&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/auth-options.c?r1=1.49;r2=1.50&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/auth-options.h?r1=1.17;r2=1.18&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/auth.c?r1=1.140;r2=1.141&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/auth.h?r1=1.83;r2=1.84&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/auth2-pubkey.c?r1=1.25;r2=1.26&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/key.c?r1=1.90;r2=1.91&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/servconf.c?r1=1.202;r2=1.203&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/servconf.h?r1=1.84;r2=1.85&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/sshd.8?r1=1.216;r2=1.217&view=patch
http://anoncvs.mindrot.org/index.cgi/openssh/sshd_config.5?r1=1.127;r2=1.128&view=patch

Please note that there may be a delay before commits are available
on the public ViewVC site.