search for: sshfwkd

...P. I think this could be a good builtin functionality of OpenSSH, it already has all of the public/private key trust infrastructure available, what is missing is just the plumbing to connect it the firewall. Maybe it could go into a separate binary and not in the default sshd though. How about a sshfwkd? /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/1de5ebbc/attachment.asc>

...ink this could be a good builtin functionality of OpenSSH, it |already has all of the public/private key trust infrastructure |available, what is missing is just the plumbing to connect it the |firewall. Maybe it could go into a separate binary and not in the |default sshd though. How about a sshfwkd? With the possibilities that ssh-keygen -Y sign|verify have added, one could easily adapt the server and client to send "user-name MSG", so that the server could look into authorized_keys of user-name and verify MSG, whatever that is. (Or only use the current encryption thing for user-na...

On 04.07.24 01:41, Manon Goo wrote: > - some users private keys are lost Then you go and remove the corresponding pubkeys from wherever they're configured. Seriously, even if you do not scan which pubkey is configured where *now* (as is part of our usual monitoring), it'll be your "number <3" task *then* to go hunt it down. > And you want to lock down the sshd