search for: authorizedprincipalsfile

hi,all i've read the openssh5.6 new feature document about new option AuthorizedPrincipalsFile,and tried to config the sshd_config for a lot times,but still not succeed. maybe i am still ambiguously about the document's meaning. The main problem is i don't know what's the content(or file format) in the file that specifed by the AuthorizedPrincipalsFile option. could you give me...

...quot;alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as "bob" and "www" to machines in group "webserver" > > (only). > > Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on > each of the "web servers", where the contents of the alice file include > the principal name alice, the contents of the bob file contain the bob > principal, and the contents of the www file contain the contents alice > and bob? Wouldn't that a...

...gs, in particular Facebook's one here: <https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/>. However, if I issue certs with ssh-keygen ... -n alice,www,group-webserver ... ssh-keygen ... -n bob,www,group-webserver ... and I include "group-webserver" in AuthorizedPrincipalsFile for alice, it lets bob login as alice (as per documentation, and also tested). Now I am thinking I need to do something like this: ssh-keygen ... -n alice:webserver,www:webserver ... ssh-keygen ... -n bob:webserver,www:webserver ... with an AuthorizedPrincipalsCommand such as: #!/bin/sh ech...

...Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hey. AuthorizedPrincipalsCommand is analogous to AuthorizedPrincipalsFile, so I guess it also applies only to CAs that are listed in TrustedUserCAKeys. Therefore I suggest that the same paragraph from the AuthorizedPrincipalsFile description is added there as well, i.e.: Note that AuthorizedPrincipalsCommand is only used when authentication proceeds using a CA listed in...

...that are acceptable. > > When authenticating using a CA trusted through ~/.ssh/authorized_keys, > this adds a new principals="name1[,name2,...]" key option. > > For CAs listed through sshd_config's TrustedCAKeys option, a new config > option "AuthorizedPrincipalsFile" specifies a per-user file containing > the list of acceptable names. > > If either option is absent, the current behaviour of requiring the > username to appear in principals continues to apply. > > These options are useful for role accounts, disjoint acc...

...FG_GLOBAL }, { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL }, @@ -427,7 +427,7 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, {...

...shd(8) now supports indirection in matching of principal names listed in certificates. By default, if a certificate has an embedded principals list then the username on the server must match one of the names in the list for it to be accepted for authentication. sshd(8) now has a new AuthorizedPrincipalsFile option to specify a file containing a list of names that may be accepted in place of the username when authorizing a certificate trusted via the sshd_config(5) TrustedCAKeys option. Similarly, authentication using a CA trusted in ~/.ssh/authorized_keys now accepts a principals="...

Hello, [if I'm not in the right mailing list, please advise it to me] I'm using ssh certificates for my servers and my users. I have questions about it: I can use the same CA in order to certify all my hosts. Every clients can use it, and it's a great setup. But, if I use the same CA for all my clients, it means that any clients can log in to any server because hosts trusts my

...test/ssh_host_ecdsa_key MaxAuthTries 3 AuthorizedKeysFile????? /etc/sshtest/authorized_keys PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes UseDNS no Subsystem?????? sftp??? /home1/test/usr/local/libexec/sftp-server TrustedUserCAKeys?????? /etc/sshtest/ssh_cakeys AuthorizedPrincipalsFile??????? /etc/sshtest/authorized_principals The /etc/sshtest/authorized_principals file contains one line: test at 172.31.43.3 I attempt to connect to the target server from the test client: $ ssh -vvv -Y -p 2022 -l test 172.31.44.115 There is verbose output, which mostly seems right until (on...

...w supports indirection in matching of principal names listed in certificates. By default, if a certificate has an embedded principals list then the destination username must match one of the names in the list for it to be accepted for authentication. sshd(8) now supports an optional AuthorizedPrincipalsFile to specify a list of names that may be accepted in place of the username when authorizing a certificate trusted via the sshd_config(5) TrustedCAKeys option. Similarly, authentication using a CA trusted in ~/.ssh/authorized_keys now accepts a principals="name1[,name2,...]" t...

...ty: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hey. I was just going through the documentation, and there are several options which are documented to default to "none", e.g. in sshd_config(5): >AuthorizedPrincipalsFile ... > The default is ?none?, i.e. not to use a principals file ? in ... or >Banner The contents of the specified file are sent to the remote user > before authentication is allowed. If the argument is ?none? then > no banner is displayed. This option is only available for proto? .....

...shd(8) now supports indirection in matching of principal names listed in certificates. By default, if a certificate has an embedded principals list then the username on the server must match one of the names in the list for it to be accepted for authentication. sshd(8) now has a new AuthorizedPrincipalsFile option to specify a file containing a list of names that may be accepted in place of the username when authorizing a certificate trusted via the sshd_config(5) TrustedCAKeys option. Similarly, authentication using a CA trusted in ~/.ssh/authorized_keys now accepts a principals="...

...SSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hi. Analogous to AuthorizedPrincipalsFile it would be nice if one could set AuthorizedKeysFile to none so that no file is used. I guess one can, as a workaround set /dev/null, but that will probably lead to have it always opened and tried. Cheers, Chris. -- You are receiving this mail because: You are watching the assignee of the bug.

...login as "alice" >> and >> "www" to machines in group "webserver" (only). Also, I want Bob to >> be >> able to login as "bob" and "www" to machines in group "webserver" >> (only). > Why can't you have a AuthorizedPrincipalsFile for alice, bob and www on > each of the "web servers", where the contents of the alice file include > the principal name alice, the contents of the bob file contain the bob > principal, and the contents of the www file contain the contents alice > and bob? Wouldn't that a...

...ds for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner. Bugfixes: * ssh(1)/sshd(8): Don't spin in accept() in situations of file desc...

...ds for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner. Bugfixes: * ssh(1)/sshd(8): Don't spin in accept() in situations of file desc...

On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch) wrote: ... > So issue your users with Yubikeys. You can enforce the Yubikey so it > requires the user to enter a PIN *and* touch the Yubikey. This means > there's an incredibly high degree of confidence that it was the user > who performed the actiion (i.e. two-factor authentication of physical >

...ds for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner. Bugfixes: * ssh(1)/sshd(8): Don't spin in accept() in situations of file desc...

https://bugzilla.mindrot.org/show_bug.cgi?id=2618 Bug ID: 2618 Summary: net-misc/openssh-7.2_p2: Terribly slow Interactive Logon Product: Portable OpenSSH Version: 7.2p2 Hardware: amd64 OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd

...gin when UseLogin is set; bz#378 * sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346 * Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288) * ssh(1): include remote username in debug output; bz#2368 * sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message (hostkeys-00 at openssh.com) * sshd(8): mention ssh-keygen -E as useful whe...