bugzilla-daemon at mindrot.org
2022-Jun-03 11:02 UTC
[Bug 3440] New: RFE: be able to use "Match exec" on SSHD server side
https://bugzilla.mindrot.org/show_bug.cgi?id=3440 Bug ID: 3440 Summary: RFE: be able to use "Match exec" on SSHD server side Product: Portable OpenSSH Version: v9.0p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: rmetrich at redhat.com We have customers at Red Hat wanting to have a different SSHD configuration snippet based on user's name (e.g. to force keyboard-interactive authentication when user is "LLNNNNN" (L = letter, N = digit)). The "User" token pattern matching isn't smart enough to filter this kind of "LLNNNNN" pattern. IMHO this requires having the possibility to use the "exec" token in Match stanza on the server side, but this isn't possible for now: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Match Introduces a conditional block. [...] The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, and Address (with RDomain representing the rdomain(4) on which the connection was received). -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Allowing the use of "exec" would enable having tons of customizations possible. Additionally there is no simple workaround available for now, it requires having multiple SSHD instances, one for "normal users" and one for "LLNNNNN" users, but this isn't enough, it also requires crafting a PAM module to prohibit the "LLNNNNN" users from connecting through the "normal users" instance, which makes the workaround difficult to implement. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Jun-24 05:01 UTC
[Bug 3440] RFE: be able to use "Match exec" on SSHD server side
https://bugzilla.mindrot.org/show_bug.cgi?id=3440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Adding "match exec" to the server will probably not happen - it's fairly risky and would make it easy for users to allow DoS. This seems like something that could be done using a PAM module + AuthenticationMethods though -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-04 14:31 UTC
[Bug 3440] RFE: be able to use "Match exec" on SSHD server side
https://bugzilla.mindrot.org/show_bug.cgi?id=3440 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.