openssh bugs - Jun 2007 - [Bug 1326] New: Allow non-public-key credentials in authorized_keys file ( Kerberos, etc.)

http://bugzilla.mindrot.org/show_bug.cgi?id=1326

           Summary: Allow non-public-key credentials in authorized_keys file
                    (Kerberos, etc.)
           Product: Portable OpenSSH
           Version: 4.4p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Kerberos support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: Markus.Kuhn at cl.cam.ac.uk


At present, the ~/.ssh/authorized_keys file serves two functions:

  - list RSA or DSA keys that are authorized as login credentials

  - define policy restrictions (command=, from=, etc.) for each

Unfortunately, all the wonderful policy restrictions that
authorized_keys allows are currently only available for public-key
authentication. It would be extremely useful, if authorized_keys
supported also other authentication methods supported by ssh, not just
just ssh-rsa and ssh-dsa, such that these can also be restricted with
policy options such as command, from, etc.

Most importantly, it should be possible to name and restrict a
GSSAPI/Kerberos principal in an authorized_keys file. Example:

from="*.bla.com" ssh-rsa AAAAB3NzaC1yc2EAAAA....
from="*.bla.com" ssh-gssapi johndoe at bla.com
from="*.bla.com" ssh-md5password fa45c39ad35d1efa635916459dac4bed
command="/bin/helpdesk" ssh-md5password
163fa56fade48646fa4562ecb6b7901

The authorized_keys file could even be renamed to
authorized_credentials, to reflect that it is a list of credentials
that are authorized for login, which includes, but is not restricted
to, RSA and DSA keys.

For Kerberos logins, the extended syntax of the authorized_keys file
that I propose would allow me to list authorized Kerberos principals
whose name is not identical to the local user name, just like there is
with RSA or DSA no need that the login names are identical on the ssh
client and server side.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1326


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au




--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  2007-06-29
08:06:50 ---
(In reply to comment #0)
> At present, the ~/.ssh/authorized_keys file serves two functions:
> 
>   - list RSA or DSA keys that are authorized as login credentials
> 
>   - define policy restrictions (command=, from=, etc.) for each
> 
> Unfortunately, all the wonderful policy restrictions that
> authorized_keys allows are currently only available for public-key
> authentication.
Actually that's no longer the case.  In the most recent versions, the
policy restrictions also available in sshd_config via Match,
ForceCommand, PermitOpen and so on.

You can implement some parts of your example with those, for example:

Match User gssapiuser Host *.blah.com
    GSSAPIAuthentication yes
    PasswordAuthentication yes
    ForceCommand /bin/helpdesk
Hatch User gssapiuser
    GSSAPIAuthentication no
    PasswordAuthentication no
    ForceCommand /bin/helpdesk

would allow the user "gssapiuser" to authenticate using gssapi or
password only from machines in the blah.com domain, and only allow them
to run the /bin/helpdesk program no matter how they authenticated.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1326

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2010-01-13
11:24:14 EST ---
I think the Match capability provides the requested functionality, so
I'm closing.  Thanks for the suggestion, but I don't think we'll be
doing this.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1326

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> 2010-04-16 15:50:43
EST ---
Mass move of bugs RESOLVED->CLOSED following the release of
openssh-5.5p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1326

Markus Kuhn <Markus.Kuhn at cl.cam.ac.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |REOPENED
         Resolution|WONTFIX                     |

--- Comment #4 from Markus Kuhn <Markus.Kuhn at cl.cam.ac.uk> 2010-04-16
20:41:02 EST ---
But the Match capability of /etc/ssh/sshd_config is only accessible to
the system administrator, and there seems nothing equivalent that the
user can do themselves in ~/.ssh/.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1326

Matthew N. Dodd <matthew.nygard.dodd at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |matthew.nygard.dodd at gmail.c
                   |                            |om
           See Also|                            |https://bugzilla.mindrot.or
                   |                            |g/show_bug.cgi?id=1927

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.