Connection caching?

[Jefferson Ogata]

Darren Tucker wrote:
> David Woodhouse wrote:
>> On Tue, 2004-05-04 at 14:36 +1000, Darren Tucker wrote:
>>> I looked at it in conjunction with bug #701 (which is the 
>>> "PermitRootLogin without-password" thing).  It occurred to me that a 
>>> more general mechanism could be a better solution for both.  As 
>>> usual, I got sidetracked.
>>
>> More general would be good... what I need from it would be
>>     "First s/key, then either of password or pubkey"
> 
> I've been thinking about something like:
> 
> AuthenticationsForUser user authenticationlist [source pattern-list]
> 
> where authenticationlist is a comma-separated list in which you could 
> require multiple authentication with a "+".
> 
> For example, to require password and public-key, it would be:
> 
> AuthenticationsForUser joe password+public-key
> 
> Your example would be:
> 
> AuthenticationsForUser fred  \
> keyboard-interactive+public-key,keyboard-interactive+password

I thank what would work would be to make the sshd_config syntax consistent with 
the ~/.ssh/config syntax, but instead of Host sections, have User sections. In 
addition, instead of AllowUsers/DenyUsers you could use Allow/Deny keywords or 
something similar. We should also allow specification of sub-auth-types. E.g. 
something along the lines of:

Protocol 2
[other global options]
User foo bar fubar
	Protocol 1
	PasswordAuthentication yes
	PubkeyAuthentication no
	RequiredAuth keyboard-interactive/skey+password 
keyboard-interactive/skey+public-key
User root
	PasswordAuthentication no
	RequiredAuth keyboard-interactive+public-key
User bozo
	Deny yes

Obviously this would necessitate a rewrite of the config file parser, and 
additional data structures for user-specific config settings. Not for the faint 
at heart. But the current config format is pretty limiting.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>