Displaying 20 results from an estimated 2000 matches similar to: "Dynamically allow users with OpenSSH?"
2019 Mar 07
2
Dynamically allow users with OpenSSH?
Peter and Jason, thanks for your replies on this.
I was able to accomplish this with a combination of Peter's solution
and setting "AuthorizedKeysFile none" as suggested in the Stack
Overflow question.
On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote:
>
> why aren't the authorized keys/principals commands sufficient?
>
> $ getent group
2023 May 22
6
[Bug 3574] New: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set
https://bugzilla.mindrot.org/show_bug.cgi?id=3574
Bug ID: 3574
Summary: ssh ignores AuthorizedPrincipalsCommand if
AuthorizedKeysCommand is also set
Product: Portable OpenSSH
Version: 9.3p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component:
2019 May 21
2
OpenSSH Certificate Extensions
Any caveats with using AuthorizedKeysCommand in this case?
From: Damien Miller<mailto:djm at mindrot.org>
Sent: Monday, May 20, 2019 6:37 PM
To: Nickolas Klue<mailto:nickolas.klue at thoughtspot.com>
Cc: openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org>
Subject: Re: OpenSSH Certificate Extensions
On Mon, 20 May 2019, Nickolas Klue wrote:
> Hello:
>
2023 Jul 31
5
Call for testing: OpenSSH 9.4
Hi,
OpenSSH 9.4 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2013 Mar 22
52
[Bug 2081] New: extend the parameters to the AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=2081
Bug ID: 2081
Summary: extend the parameters to the AuthorizedKeysCommand
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.2p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
2019 May 21
2
OpenSSH Certificate Extensions
Hello:
I am working to implement certificate-based authentication for some
internal applications. It would be very helpful to be able to pass
information server-side by specifying some custom options via the
Extensions of the signed certificate, allowing the authenticity of the
options to be verified readily. However, I have not been able to find too
much for specifying behaviors, etc.
2023 Nov 12
1
Match Principal enhancement
AFAIK everything you described here could be done using the
AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These
can emit authorized_keys options (inc. permitopen) as well as the allowed
keys/principals.
On Sun, 12 Nov 2023, Bret Giddings wrote:
> Hi OpenSSH devs,
>
> I?m wondering if the following has any merit and can be done securely ...
>
> If you could
2023 Mar 17
18
[Bug 3549] New: Tracking bug for OpenSSH 9.4
https://bugzilla.mindrot.org/show_bug.cgi?id=3549
Bug ID: 3549
Summary: Tracking bug for OpenSSH 9.4
Product: Portable OpenSSH
Version: -current
Hardware: Other
OS: Linux
Status: NEW
Keywords: meta
Severity: normal
Priority: P5
Component: Miscellaneous
Assignee:
2023 Nov 12
1
Match Principal enhancement
Hi OpenSSH devs,
I?m wondering if the following has any merit and can be done securely ...
If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like
/etc/ssh/authorized_keys/sshfwd:
cert-authority,principals=?batcha-fwd,batchb-fwd? ...
/etc/ssh/sshd_config containing:
Match User sshfwd
PubkeyAuthentication yes
2020 Jan 30
3
SSH certificates - restricting to host groups
On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark
<mark.christian at intel.com> wrote:
>
> On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote:
> > As a concrete example: I want Alice to be able to login as "alice"
> > and
> > "www" to machines in group "webserver" (only). Also, I want Bob to
> > be
> > able to login as
2014 Oct 10
16
[Bug 2288] New: documentation of options defaulting to "none"
https://bugzilla.mindrot.org/show_bug.cgi?id=2288
Bug ID: 2288
Summary: documentation of options defaulting to "none"
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: Documentation
Assignee:
2016 Dec 30
12
[Bug 2655] New: AuthorizedKeysCommand with large output can deadlock
https://bugzilla.mindrot.org/show_bug.cgi?id=2655
Bug ID: 2655
Summary: AuthorizedKeysCommand with large output can deadlock
Product: Portable OpenSSH
Version: 7.2p2
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at
2017 Mar 14
5
Call for testing: OpenSSH 7.5p1
Hi,
OpenSSH 7.5p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2016 Dec 14
17
Call for testing: OpenSSH 7.4
Hi,
OpenSSH 7.4 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This release contains some
substantial new features and a number of bugfixes.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is
2020 Jan 30
3
SSH certificates - restricting to host groups
On 30/01/2020 12:53, Michael Str?der wrote:
> On 1/30/20 1:27 PM, Brian Candler wrote:
>> I am trying to work out the best way to issue SSH certificates in such
>> way that they only allow access to specific usernames*and* only to
>> specific groups of host.
> I also thought about this for a while. The only idea I came up with is
> to have separate CAs used as trust
2012 Nov 20
4
Connection info with AuthorizedKeysCommand
I see that support for AuthorizedKeysCommand has been added. The
arguments supplied to the command is just the authenticating user. Can
we add the SSH connection details (ie. source and destination IPs and
ports) as well?
This command seems to be the idea way of requiring one set of
credentials from inside an organisation (say the user's own
authorized_keys file) and another set from outside
2013 Jan 14
4
AuthorizedKeysCommand
Hi there,
We could set AuthorizedKeysCommand script, this will allow only to replace
authorized_keys file with keys stored in a database... But why this command
is so limited?
Why i can't just set a command script which will get a username and public
key as arguments and let him do it's own authorization??
I think this will allow for much more powerful tricks. For example do to an
2012 Nov 13
1
problem with AuthorizedKeysCommand on OpenBSD
Hi,
I'm attempting to test the AuthorizedKeysCommand feature with the new
port of ssh-ldap-wrapper to OpenBSD. I'm running yesterday's
OpenBSD-current i386 snapshot, which includes AuthorizedKeysCommand.
The port of ssh-ldap-helper (at
http://old.nabble.com/-new--ssh-ldap-helper-td34667413.html) contains
all the bits I need, and the individual pieces appear to work once
configured:
2014 Jun 27
1
Using AuthorizedKeysCommand in unprivileged sshd mode
Hi,
I have a setup in which I run sshd as unprivileged user at dedicated port
to serve specific application.
It is working perfectly!
One tweak I had to do, since the AuthorizedKeysCommand feature requires
file to be owned by root, I had to use root owned command at root owned
directory, although it does not add a security value.
At auth2-pubkey.c::user_key_command_allowed2(), we have the
2014 May 07
2
[LLVMdev] DWARF unmangled subprog name (DW_AT_name)
The use case is getting the short name for backtraces. There are other
options, but I figured it was worth a shot trying to access from the DWARF
structure because what we need is already stored there anyway.
Thanks,
Isaiah
On Wed, May 7, 2014 at 12:24 PM, Alexey Samsonov <samsonov at google.com>wrote:
> Yeah, public API of DebugInfo library is quite minimalistic. But I agree
>