bugzilla-daemon at mindrot.org
2006-Apr-08 02:53 UTC
[Bug 1180] Add finer-grained controls to sshd
http://bugzilla.mindrot.org/show_bug.cgi?id=1180
Summary: Add finer-grained controls to sshd
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: dtucker at zip.com.au
sshd's controls (eg PasswordAuthentication and so forth) are quite coarse.
It
would be nice if there were finer-grained controls.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Apr-08 03:04 UTC
[Bug 1180] Add finer-grained controls to sshd
http://bugzilla.mindrot.org/show_bug.cgi?id=1180
------- Comment #1 from dtucker at zip.com.au 2006-04-08 13:04 -------
Created an attachment (id=1118)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1118&action=view)
Add "Match" keyword to sshd_config
This patch (against 4.3p2) extends sshd_config to support syntax such as:
AllowTcpForwarding no
Match Address 192.168.32.*,127.0.0.1
AllowTcpForwarding yes
GatewayPorts no
Match User bar,baz
AllowTcpForwarding yes
Match Host t*
AllowTcpForwarding yes
The criteria currently supported by Match are "User [user
pattern-list]",
"Group [group pattern]", "Address [address pattern-list]"
and "Host [host
pattern-list]". Multiple criteria may be specified on a single Match line,
if
so all criteria must match before the Match block takes effect (ie it is a
logical AND).
The directives supported inside a "Match" block are:
AcceptEnv, AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysFile2, Banner,
ChallengeResponseAuthentication, ChallengeResponseAuthentication,
ClientAliveCountMax, ClientAliveInterval, GatewayPorts, GssAuthentication,
GssCleanupCreds, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
IgnoreRhosts, IgnoreUserKnownHosts, KbdInteractiveAuthentication,
KerberosAuthentication, KerberosGetAFSToken, KerberosOrLocalPasswd,
KerberosTicketCleanup, LogFacility, LogLevel, LoginGraceTime, MaxAuthTries,
PasswordAuthentication, PermitEmptyPasswd, PermitRootLogin, PermitTunnel,
PermitUserEnvironment, PrintLastLog, PrintMotd, PubkeyAuthentication,
PubkeyAuthentication, RSAAuthentication, RhostsRSAAuthentication, StrictModes,
UseLogin, UsePAM, X11DisplayOffset, X11Forwarding, X11UseLocalhost,
XAuthLocation. Only a (small) subset of these have been tested.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.