- djm@cvs.openbsd.org 2010/05/07 11:30:30

[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2010-05-10 11:58:03 +1000
committer: Damien Miller <djm@mindrot.org> 2010-05-10 11:58:03 +1000
commit: 30da3447d2ef3329cb0eb083cdddf84532659454 (patch)
tree: 02537d2355d77cc15d1bf9d266d474e660848012 /ChangeLog
parent: 099fc1634e1cc0f96b77a811e554bf9d796def8f (diff)
1 files changed, 22 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 684609459..090e2352c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,28 @@
     [sftp.c]
     restore mput and mget which got lost in the tab-completion changes.
     found by Kenneth Whitaker, ok djm@
+   - djm@cvs.openbsd.org 2010/05/07 11:30:30
+     [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
+     [key.c servconf.c servconf.h sshd.8 sshd_config.5]
+     add some optional indirection to matching of principal names listed
+     in certificates. Currently, a certificate must include the a user's name
+     to be accepted for authentication. This change adds the ability to
+     specify a list of certificate principal names that are acceptable.
+     
+     When authenticating using a CA trusted through ~/.ssh/authorized_keys,
+     this adds a new principals="name1[,name2,...]" key option.
+     
+     For CAs listed through sshd_config's TrustedCAKeys option, a new config
+     option "AuthorizedPrincipalsFile" specifies a per-user file containing
+     the list of acceptable names.
+     
+     If either option is absent, the current behaviour of requiring the
+     username to appear in principals continues to apply.
+     
+     These options are useful for role accounts, disjoint account namespaces
+     and "user@realm"-style naming policies in certificates.
+     
+     feedback and ok markus@
 20100423
 - (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir
author	Damien Miller <djm@mindrot.org>	2010-05-10 11:58:03 +1000
committer	Damien Miller <djm@mindrot.org>	2010-05-10 11:58:03 +1000
commit	30da3447d2ef3329cb0eb083cdddf84532659454 (patch)
tree	02537d2355d77cc15d1bf9d266d474e660848012 /ChangeLog
parent	099fc1634e1cc0f96b77a811e554bf9d796def8f (diff)

diff --git a/ChangeLog b/ChangeLog index 684609459..090e2352c 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -31,6 +31,28 @@
31	[sftp.c]	31	[sftp.c]
32	restore mput and mget which got lost in the tab-completion changes.	32	restore mput and mget which got lost in the tab-completion changes.
33	found by Kenneth Whitaker, ok djm@	33	found by Kenneth Whitaker, ok djm@
		34	- djm@cvs.openbsd.org 2010/05/07 11:30:30
		35	[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
		36	[key.c servconf.c servconf.h sshd.8 sshd_config.5]
		37	add some optional indirection to matching of principal names listed
		38	in certificates. Currently, a certificate must include the a user's name
		39	to be accepted for authentication. This change adds the ability to
		40	specify a list of certificate principal names that are acceptable.
		41
		42	When authenticating using a CA trusted through ~/.ssh/authorized_keys,
		43	this adds a new principals="name1[,name2,...]" key option.
		44
		45	For CAs listed through sshd_config's TrustedCAKeys option, a new config
		46	option "AuthorizedPrincipalsFile" specifies a per-user file containing
		47	the list of acceptable names.
		48
		49	If either option is absent, the current behaviour of requiring the
		50	username to appear in principals continues to apply.
		51
		52	These options are useful for role accounts, disjoint account namespaces
		53	and "user@realm"-style naming policies in certificates.
		54
		55	feedback and ok markus@
34		56
35	20100423	57	20100423
36	- (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir	58	- (dtucker) [configure.ac] Bug #1756: Check for the existence of a lib64 dir