bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-21 14:12 UTC
[Bug 2696] New: Allow to restrict access to service using authentication indicators
https://bugzilla.mindrot.org/show_bug.cgi?id=2696
Bug ID: 2696
Summary: Allow to restrict access to service using
authentication indicators
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 2965
--> https://bugzilla.mindrot.org/attachment.cgi?id=2965&action=edit
allow specify auth-indicators
Kerberos 1.14 introduced authentication indicators [1], which allows us
to distinguish methods used to acquire specific kerberos token.
This policy can be specified either on the KDC side (you will not be
granted a ticket for SSH service) or on the side of service (as
implemented here).
The authentication indicators are exposed to the service as a named
attributes and therefore simply accessible. This change also implements
new configuration option GSSAPIRequiredAuthIndicators which allows to
specify space separated list of indicators that are eligible to access
this service.
[1] https://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-May-01 08:25 UTC
[Bug 2696] Allow to restrict access to service using authentication indicators
https://bugzilla.mindrot.org/show_bug.cgi?id=2696
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
err, I meant "breaks the transparency of ssh-add"
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-May-01 08:25 UTC
[Bug 2696] Allow to restrict access to service using authentication indicators
https://bugzilla.mindrot.org/show_bug.cgi?id=2696 --- Comment #2 from Damien Miller <djm at mindrot.org> --- oops, wrong bug -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-May-31 07:19 UTC
[Bug 2696] Allow to restrict access to service using authentication indicators
https://bugzilla.mindrot.org/show_bug.cgi?id=2696
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|sshd |Kerberos support
--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
Adjusting to the correct component. Any feedback would be welcomed.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 2680] New: Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced)
- [Bug 2890] New: ssh-agent should not fail after removing and inserting smart card
- [Bug 3190] New: Inconsistent handling of private keys without accompanying public keys
- [Bug 2394] New: Provide a global configuration option to disable ControlPersist
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)