lei yuan
2010-Oct-14 06:02 UTC
About new feature option AuthorizedPrincipalsFile in openssh5.6
hi,all i've read the openssh5.6 new feature document about new option AuthorizedPrincipalsFile,and tried to config the sshd_config for a lot times,but still not succeed. maybe i am still ambiguously about the document's meaning. The main problem is i don't know what's the content(or file format) in the file that specifed by the AuthorizedPrincipalsFile option. could you give me a example file of AuthorizedPrincipalsFile's specify file or explains the file content in details ? i would be appreciated if you could give me some help.
Damien Miller
2010-Oct-14 10:47 UTC
About new feature option AuthorizedPrincipalsFile in openssh5.6
On Thu, 14 Oct 2010, lei yuan wrote:> hi,all > > i've read the openssh5.6 new feature document about new option > AuthorizedPrincipalsFile,and tried to config the sshd_config for a lot > times,but still not succeed. > maybe i am still ambiguously about the document's meaning. > The main problem is i don't know what's the content(or file format) in the > file that specifed by the AuthorizedPrincipalsFile option. > could you give me a example file of AuthorizedPrincipalsFile's specify file > or explains the file content in details ? > i would be appreciated if you could give me some help.Are you using certificate authentication? AuthorizedPrincipalsFile is only useful with certificates, so if you aren't using them then stop reading now :) The format of the file is one certificate principal name per line, optionally preceeded by key options similar to those in authorized_keys. For example, the following could be valid lines: djm djm at mindrot.org djm/rsync from="172.16.0.0/16" djm and so forth. If the certificate is valid, and any principal name in AuthorizedPrincipalsFile matches any principal name in the certificate and if the key options (if any) do not disallow the line, then the certificate will be accepted. -d
Possibly Parallel Threads
- SSH certificates - restricting to host groups
- SSH certificates - restricting to host groups
- [Bug 2487] New: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs
- Certificates and authorized principals
- File Offsets for SCP (patch)