openssh bugs - Apr 2006 - [Bug 1180] Add finer-grained controls to sshd

http://bugzilla.mindrot.org/show_bug.cgi?id=1180

           Summary: Add finer-grained controls to sshd
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: dtucker at zip.com.au


sshd's controls (eg PasswordAuthentication and so forth) are quite coarse. 
It
would be nice if there were finer-grained controls.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1180





------- Comment #1 from dtucker at zip.com.au  2006-04-08 13:04 -------
Created an attachment (id=1118)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1118&action=view)
Add "Match" keyword to sshd_config

This patch (against 4.3p2) extends sshd_config to support syntax such as:

AllowTcpForwarding no

Match Address 192.168.32.*,127.0.0.1
        AllowTcpForwarding yes
        GatewayPorts no

Match User bar,baz
        AllowTcpForwarding yes

Match Host t*
        AllowTcpForwarding yes

The criteria currently supported by Match are "User [user
pattern-list]",
"Group [group pattern]", "Address [address pattern-list]"
and "Host [host
pattern-list]".  Multiple criteria may be specified on a single Match line,
if
so all criteria must match before the Match block takes effect (ie it is a
logical AND).

The directives supported inside a "Match" block are:
AcceptEnv, AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysFile2, Banner,
ChallengeResponseAuthentication, ChallengeResponseAuthentication,
ClientAliveCountMax, ClientAliveInterval, GatewayPorts, GssAuthentication,
GssCleanupCreds, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
IgnoreRhosts, IgnoreUserKnownHosts, KbdInteractiveAuthentication,
KerberosAuthentication, KerberosGetAFSToken, KerberosOrLocalPasswd,
KerberosTicketCleanup, LogFacility, LogLevel, LoginGraceTime, MaxAuthTries,
PasswordAuthentication, PermitEmptyPasswd, PermitRootLogin, PermitTunnel,
PermitUserEnvironment, PrintLastLog, PrintMotd, PubkeyAuthentication,
PubkeyAuthentication, RSAAuthentication, RhostsRSAAuthentication, StrictModes,
UseLogin, UsePAM, X11DisplayOffset, X11Forwarding, X11UseLocalhost,
XAuthLocation.  Only a (small) subset of these have been tested.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.