openssh bugs - Jun 2022 - [Bug 3440] New: RFE: be able to use "Match exec" on SSHD server side

https://bugzilla.mindrot.org/show_bug.cgi?id=3440

            Bug ID: 3440
           Summary: RFE: be able to use "Match exec" on SSHD server
side
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rmetrich at redhat.com

We have customers at Red Hat wanting to have a different SSHD
configuration snippet based on user's name (e.g. to force
keyboard-interactive authentication when user is "LLNNNNN" (L =
letter,
N = digit)).

The "User" token pattern matching isn't smart enough to filter
this
kind of "LLNNNNN" pattern.

IMHO this requires having the possibility to use the "exec" token in
Match stanza on the server side, but this isn't possible for now:
-------- 8< ---------------- 8< ---------------- 8< ----------------
8<
--------
Match   Introduces a conditional block. [...]

             The arguments to Match are one or more criteria-pattern
pairs or the single token All which matches
             all criteria.  The available criteria are User, Group,
Host, LocalAddress, LocalPort, RDomain, and
             Address (with RDomain representing the rdomain(4) on which
the connection was received).
-------- 8< ---------------- 8< ---------------- 8< ----------------
8<
--------

Allowing the use of "exec" would enable having tons of customizations
possible.

Additionally there is no simple workaround available for now, it
requires having multiple SSHD instances, one for "normal users" and
one
for "LLNNNNN" users, but this isn't enough, it also requires
crafting a
PAM module to prohibit the "LLNNNNN" users from connecting through the
"normal users" instance, which makes the workaround difficult to
implement.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3440

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Adding "match exec" to the server will probably not happen - it's
fairly risky and would make it easy for users to allow DoS.

This seems like something that could be done using a PAM module +
AuthenticationMethods though

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.