cidr matching
Darren Tucker
dtucker at zip.com.au
Sat May 8 21:47:00 EST 2004
Damien Miller wrote:
> Darren Tucker wrote:
>>While we're at it, would it make sense to teach "pattern-list" stuff in
>>match.c to understand CIDR notation?
>
>
> If you are thinking of ssh_config, this is insufficient - the match and
> application of config is done well before name->address lookup (it has
> to, so the HostName directive can be used).
Actually I was thinking of "from=pattern-list" in authorized_keys
processing in sshd, so you could have something like this:
from="192.168.0.0/22" 1024 35 23...233 me at host
If the same matcher was used from the hypothetical
AuthenticationsForUser, you could then say things like "allow password,
hostbased or public key for connections from the local net, but require
password+pubkey for connections from the rest of the Net", thusly:
AuthenticationsForUser * password,public-key,hostbased 192.168.0.0/22
AuthenticationsForUser * password+public-key
> It may be possible to repeat the matching after the lookup, but then
> global config options have already been applied and what do we do if
> we match a specific host twice?
I haven't looked at it, I was just wondering aloud...
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list