search for: authorizedprincipalscommand

https://bugzilla.mindrot.org/show_bug.cgi?id=2487 Bug ID: 2487 Summary: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Com...

https://bugzilla.mindrot.org/show_bug.cgi?id=3574 Bug ID: 3574 Summary: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set Product: Portable OpenSSH Version: 9.3p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-b...

On 30/01/2020 12:53, Michael Str?der wrote: > On 1/30/20 1:27 PM, Brian Candler wrote: >> I am trying to work out the best way to issue SSH certificates in such >> way that they only allow access to specific usernames*and* only to >> specific groups of host. > I also thought about this for a while. The only idea I came up with is > to have separate CAs used as trust

...the www file contain the contents alice > and bob? Wouldn't that allow alice to ssh as alice, and www, and allow > bob to ssh as bob and www to any machines that had this > authorizedPrincipals file configuration? this is the right answer. you want to use AuthorizedPrincipalsFile (or AuthorizedPrincipalsCommand if your authz information needs to change on a quicker cadence than your config pushes) on the machines. you'd have something like $ cat /etc/ssh/sshd_config <snip> TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys Match User www AuthorizedKeysFile /etc/ssh/empty AuthorizedPrincipalsFi...

...here and pull out your local extensions. If you do this in a session module, you can do stuff like custom ulimits, environment variables, etc. Finally, if you just want to make authn/authz decisions on the extensions then you can implementing auth-time processing of custom extensions via ssh'd AuthorizedPrincipalsCommand. This can be passed the key contents using the %k expansion and you pull out the extensions from there and abort the authentication or add additional key restrictions based on their contents. > Thank you very much to anyone that is able to shine some light on this > topic or outright tell me...

...lient configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. * ssh-keygen(1): increase the default wor...

Hello: I am working to implement certificate-based authentication for some internal applications. It would be very helpful to be able to pass information server-side by specifying some custom options via the Extensions of the signed certificate, allowing the authenticity of the options to be verified readily. However, I have not been able to find too much for specifying behaviors, etc.

...ot;group-webserver" in AuthorizedPrincipalsFile for alice, it lets bob login as alice (as per documentation, and also tested). Now I am thinking I need to do something like this: ssh-keygen ... -n alice:webserver,www:webserver ... ssh-keygen ... -n bob:webserver,www:webserver ... with an AuthorizedPrincipalsCommand such as: #!/bin/sh echo "$1:webserver" echo "$1:anywhere" Is this the best approach, or am I missing a trick?? I'm surprised I couldn't find someone had already done this and blogged about it. Thanks, Brian. P.S. A minor clarification for the documentation: if...

...lient configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. * ssh-keygen(1): increase the default wor...

...ocation. > > * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL > extensions. This defines wire formats for optional KRL extensions > and implements parsing of the new submessages. No actual extensions > are supported at this point. > > * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now > accept two additional %-expansion sequences: %D which expands to > the routing domain of the connected session and %C which expands > to the addresses and port numbers for the source and destination > of the connection. > > * ssh-k...

...verity: minor Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hey sshd_config seems to not list those options as being usable inside Match blocks, while servconf.c seems to mark them as such: -authorizedprincipalscommand -authorizedprincipalscommanduser -gssapiauthentication -kerberosauthentication And -authorizedkeysfile2 but IIRC that was deprecated anyway. Cheers, Chris. -- You are receiving this mail because: You are watching the assignee of the bug.

...30 PM Peter Moody <mindrot at hda3.com> wrote: > > why aren't the authorized keys/principals commands sufficient? > > $ getent group maybe-allow-these-users > maybe-allow-these-users:x:111:user1,user2,user3,user4,user5... > > Match Group maybe-allow-these-users > AuthorizedPrincipalsCommand /etc/ssh/allow_if_running_job %u > AuthorizedPincipalsCommandUser nobody > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh > ps auxgw | grep $1 && echo $1 > > the AuthorizedKeysCommand could look like > > $ cat /etc/ssh/allow_if_running_job > #!/bin/sh >...

AFAIK everything you described here could be done using the AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These can emit authorized_keys options (inc. permitopen) as well as the allowed keys/principals. On Sun, 12 Nov 2023, Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could match on princ...

Hello, how can I dynamically allow or disallow users with OpenSSH? I have some nodes that users can submit jobs to, and can optionally be handed a session to the requested node. But I want to prevent them from SSH-ing in to nodes unless they have a job running on that node. My idea was to implement libssh's callback abilities and have a script that checks the username against jobs running on

https://bugzilla.mindrot.org/show_bug.cgi?id=3549 Bug ID: 3549 Summary: Tracking bug for OpenSSH 9.4 Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Keywords: meta Severity: normal Priority: P5 Component: Miscellaneous Assignee:

Hi OpenSSH devs, I?m wondering if the following has any merit and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes

On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch) wrote: ... > So issue your users with Yubikeys. You can enforce the Yubikey so it > requires the user to enter a PIN *and* touch the Yubikey. This means > there's an incredibly high degree of confidence that it was the user > who performed the actiion (i.e. two-factor authentication of physical >

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

Hi, We're developing an open source project that uses SSH certificates. We issue short lived certificates (few minutes) to execute commands on behalf of users. We have a use case where we need to issue certificates with 10 days validity and store them, so we put a command inside them: ssh-keygen -s ca-key -I certN -n user -O force-command="wget something" -V +10d user-key.pub and

...omments sent to printf but preserve valid UTF-8 when the locale supports it; bz#2520 * ssh(1), sshd(8): Return reason for port forwarding failures where feasible rather than always "administratively prohibited". bz#2674 * sshd(8): Fix deadlock when AuthorizedKeysCommand or AuthorizedPrincipalsCommand produces a lot of output and a key is matched early. bz#2655 * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659 * ssh(1): Fix typo in ~C error message for bad port forward cancellation. bz#2672 * ssh(1): Show a useful error message when included config files c...