summaryrefslogtreecommitdiff
path: root/PROTOCOL.certkeys
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-05-21 14:58:32 +1000
committerDamien Miller <djm@mindrot.org>2010-05-21 14:58:32 +1000
commitd0e4a8e2e0bc6fcee6cd8486fbcdffaf7d037aed (patch)
treea5e02fcbb2a55a16b877e960edd2b8f1adde8389 /PROTOCOL.certkeys
parent84399555f0a3c78b96c3e5a56ce9c83eaa814228 (diff)
- djm@cvs.openbsd.org 2010/05/20 23:46:02
[PROTOCOL.certkeys auth-options.c ssh-keygen.c] Move the permit-* options to the non-critical "extensions" field for v01 certificates. The logic is that if another implementation fails to implement them then the connection just loses features rather than fails outright. ok markus@
Diffstat (limited to 'PROTOCOL.certkeys')
-rw-r--r--PROTOCOL.certkeys35
1 files changed, 24 insertions, 11 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 0fa5748f3..81b02a078 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -131,7 +131,7 @@ must refuse to authorise a key that has an unrecognised option.
131 131
132extensions is a set of zero or more optional extensions. These extensions 132extensions is a set of zero or more optional extensions. These extensions
133are not critical, and an implementation that encounters one that it does 133are not critical, and an implementation that encounters one that it does
134not recognise may safely ignore it. No extensions are defined at present. 134not recognise may safely ignore it.
135 135
136The reserved field is currently unused and is ignored in this version of 136The reserved field is currently unused and is ignored in this version of
137the protocol. 137the protocol.
@@ -172,6 +172,28 @@ force-command string Specifies a command that is executed
172 ssh command-line) whenever this key is 172 ssh command-line) whenever this key is
173 used for authentication. 173 used for authentication.
174 174
175source-address string Comma-separated list of source addresses
176 from which this certificate is accepted
177 for authentication. Addresses are
178 specified in CIDR format (nn.nn.nn.nn/nn
179 or hhhh::hhhh/nn).
180 If this option is not present then
181 certificates may be presented from any
182 source address.
183
184Extensions
185----------
186
187The extensions section of the certificate specifies zero or more
188non-critical certificate extensions. The encoding of extensions in this
189field is identical to that of the critical options. If an implementation
190does not recognise an extension, then it should ignore it.
191
192The supported extensions and the contents and structure of their data
193fields are:
194
195Name Format Description
196-----------------------------------------------------------------------------
175permit-X11-forwarding empty Flag indicating that X11 forwarding 197permit-X11-forwarding empty Flag indicating that X11 forwarding
176 should be permitted. X11 forwarding will 198 should be permitted. X11 forwarding will
177 be refused if this option is absent. 199 be refused if this option is absent.
@@ -196,13 +218,4 @@ permit-user-rc empty Flag indicating that execution of
196 of this script will not be permitted if 218 of this script will not be permitted if
197 this option is not present. 219 this option is not present.
198 220
199source-address string Comma-separated list of source addresses 221$OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $
200 from which this certificate is accepted
201 for authentication. Addresses are
202 specified in CIDR format (nn.nn.nn.nn/nn
203 or hhhh::hhhh/nn).
204 If this option is not present then
205 certificates may be presented from any
206 source address.
207
208$OpenBSD: PROTOCOL.certkeys,v 1.5 2010/05/01 02:50:50 djm Exp $