diff options
author | Damien Miller <djm@mindrot.org> | 2010-05-21 14:58:32 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-05-21 14:58:32 +1000 |
commit | d0e4a8e2e0bc6fcee6cd8486fbcdffaf7d037aed (patch) | |
tree | a5e02fcbb2a55a16b877e960edd2b8f1adde8389 /PROTOCOL.certkeys | |
parent | 84399555f0a3c78b96c3e5a56ce9c83eaa814228 (diff) |
- djm@cvs.openbsd.org 2010/05/20 23:46:02
[PROTOCOL.certkeys auth-options.c ssh-keygen.c]
Move the permit-* options to the non-critical "extensions" field for v01
certificates. The logic is that if another implementation fails to
implement them then the connection just loses features rather than fails
outright.
ok markus@
Diffstat (limited to 'PROTOCOL.certkeys')
-rw-r--r-- | PROTOCOL.certkeys | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 0fa5748f3..81b02a078 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys | |||
@@ -131,7 +131,7 @@ must refuse to authorise a key that has an unrecognised option. | |||
131 | 131 | ||
132 | extensions is a set of zero or more optional extensions. These extensions | 132 | extensions is a set of zero or more optional extensions. These extensions |
133 | are not critical, and an implementation that encounters one that it does | 133 | are not critical, and an implementation that encounters one that it does |
134 | not recognise may safely ignore it. No extensions are defined at present. | 134 | not recognise may safely ignore it. |
135 | 135 | ||
136 | The reserved field is currently unused and is ignored in this version of | 136 | The reserved field is currently unused and is ignored in this version of |
137 | the protocol. | 137 | the protocol. |
@@ -172,6 +172,28 @@ force-command string Specifies a command that is executed | |||
172 | ssh command-line) whenever this key is | 172 | ssh command-line) whenever this key is |
173 | used for authentication. | 173 | used for authentication. |
174 | 174 | ||
175 | source-address string Comma-separated list of source addresses | ||
176 | from which this certificate is accepted | ||
177 | for authentication. Addresses are | ||
178 | specified in CIDR format (nn.nn.nn.nn/nn | ||
179 | or hhhh::hhhh/nn). | ||
180 | If this option is not present then | ||
181 | certificates may be presented from any | ||
182 | source address. | ||
183 | |||
184 | Extensions | ||
185 | ---------- | ||
186 | |||
187 | The extensions section of the certificate specifies zero or more | ||
188 | non-critical certificate extensions. The encoding of extensions in this | ||
189 | field is identical to that of the critical options. If an implementation | ||
190 | does not recognise an extension, then it should ignore it. | ||
191 | |||
192 | The supported extensions and the contents and structure of their data | ||
193 | fields are: | ||
194 | |||
195 | Name Format Description | ||
196 | ----------------------------------------------------------------------------- | ||
175 | permit-X11-forwarding empty Flag indicating that X11 forwarding | 197 | permit-X11-forwarding empty Flag indicating that X11 forwarding |
176 | should be permitted. X11 forwarding will | 198 | should be permitted. X11 forwarding will |
177 | be refused if this option is absent. | 199 | be refused if this option is absent. |
@@ -196,13 +218,4 @@ permit-user-rc empty Flag indicating that execution of | |||
196 | of this script will not be permitted if | 218 | of this script will not be permitted if |
197 | this option is not present. | 219 | this option is not present. |
198 | 220 | ||
199 | source-address string Comma-separated list of source addresses | 221 | $OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $ |
200 | from which this certificate is accepted | ||
201 | for authentication. Addresses are | ||
202 | specified in CIDR format (nn.nn.nn.nn/nn | ||
203 | or hhhh::hhhh/nn). | ||
204 | If this option is not present then | ||
205 | certificates may be presented from any | ||
206 | source address. | ||
207 | |||
208 | $OpenBSD: PROTOCOL.certkeys,v 1.5 2010/05/01 02:50:50 djm Exp $ | ||