diff options
| author | Damien Miller <djm@mindrot.org> | 2010-05-10 11:58:03 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-05-10 11:58:03 +1000 |
| commit | 30da3447d2ef3329cb0eb083cdddf84532659454 (patch) | |
| tree | 02537d2355d77cc15d1bf9d266d474e660848012 /sshd.8 | |
| parent | 099fc1634e1cc0f96b77a811e554bf9d796def8f (diff) | |
- djm@cvs.openbsd.org 2010/05/07 11:30:30
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
[key.c servconf.c servconf.h sshd.8 sshd_config.5]
add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.
If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.
feedback and ok markus@
Diffstat (limited to 'sshd.8')
| -rw-r--r-- | sshd.8 | 15 |
1 files changed, 13 insertions, 2 deletions
| @@ -34,8 +34,8 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: sshd.8,v 1.255 2010/03/05 06:50:35 jmc Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.256 2010/05/07 11:30:30 djm Exp $ |
| 38 | .Dd $Mdocdate: March 5 2010 $ | 38 | .Dd $Mdocdate: May 7 2010 $ |
| 39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
| 40 | .Os | 40 | .Os |
| 41 | .Sh NAME | 41 | .Sh NAME |
| @@ -602,6 +602,17 @@ Multiple | |||
| 602 | options may be applied separated by commas. | 602 | options may be applied separated by commas. |
| 603 | No pattern matching is performed on the specified hostnames, | 603 | No pattern matching is performed on the specified hostnames, |
| 604 | they must be literal domains or addresses. | 604 | they must be literal domains or addresses. |
| 605 | .It Cm principals="principals" | ||
| 606 | On a | ||
| 607 | .Cm cert-authority | ||
| 608 | line, specifies allowed principals for certificate authentication as a | ||
| 609 | comma-separated list. | ||
| 610 | At least one name from the list must appear in the certificate's | ||
| 611 | list of principals for the certificate to be accepted. | ||
| 612 | This option is ignored for keys that are not marked as trusted certificate | ||
| 613 | signers using the | ||
| 614 | .Cm cert-authority | ||
| 615 | option. | ||
| 605 | .It Cm tunnel="n" | 616 | .It Cm tunnel="n" |
| 606 | Force a | 617 | Force a |
| 607 | .Xr tun 4 | 618 | .Xr tun 4 |