similar to: [Bug 2487] New: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs

On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark <mark.christian at intel.com> wrote: > > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: > > As a concrete example: I want Alice to be able to login as "alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

https://bugzilla.mindrot.org/show_bug.cgi?id=3574 Bug ID: 3574 Summary: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set Product: Portable OpenSSH Version: 9.3p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component:

OpenSSH 6.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

https://bugzilla.mindrot.org/show_bug.cgi?id=2288 Bug ID: 2288 Summary: documentation of options defaulting to "none" Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: Documentation Assignee:

Wondering if it would make sense to have more granular control of trustedUserCAkeys? I have 1 key used to sign root certs, the key is shortlived, and is rotated daily. And I have a 2nd key to sign non- privileged user certs. The non-privileged certs have a longer validity period, and the signing keys are not rotated as frequently. It would be nice to ensure this second signing key's

https://bugzilla.mindrot.org/show_bug.cgi?id=2489 Bug ID: 2489 Summary: options that can be used in Match blocks but aren't documented as such Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component:

hi,all i've read the openssh5.6 new feature document about new option AuthorizedPrincipalsFile,and tried to config the sshd_config for a lot times,but still not succeed. maybe i am still ambiguously about the document's meaning. The main problem is i don't know what's the content(or file format) in the file that specifed by the AuthorizedPrincipalsFile option. could you give me a

As background, I read: http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/ http://www.ibm.com/developerworks/aix/library/au-sshsecurity/ http://bryanhinton.com/blog/openssh-security http://www.linuxhowtos.org/manpages/5/sshd_config.htm

Hi, Users who are interested in certificate authentication might be interested in this change: > - djm at cvs.openbsd.org 2010/05/07 11:30:30 > [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c key.c] > [servconf.c servconf.h sshd.8 sshd_config.5] > add some optional indirection to matching of principal names listed > in certificates. Currently, a

Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c

OpenSSH 6.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

Any caveats with using AuthorizedKeysCommand in this case? From: Damien Miller<mailto:djm at mindrot.org> Sent: Monday, May 20, 2019 6:37 PM To: Nickolas Klue<mailto:nickolas.klue at thoughtspot.com> Cc: openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org> Subject: Re: OpenSSH Certificate Extensions On Mon, 20 May 2019, Nickolas Klue wrote: > Hello: >

On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch) wrote: ... > So issue your users with Yubikeys. You can enforce the Yubikey so it > requires the user to enter a PIN *and* touch the Yubikey. This means > there's an incredibly high degree of confidence that it was the user > who performed the actiion (i.e. two-factor authentication of physical >

Hi, OpenSSH 9.4 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

On 30/01/2020 12:53, Michael Str?der wrote: > On 1/30/20 1:27 PM, Brian Candler wrote: >> I am trying to work out the best way to issue SSH certificates in such >> way that they only allow access to specific usernames*and* only to >> specific groups of host. > I also thought about this for a while. The only idea I came up with is > to have separate CAs used as trust

https://bugzilla.mindrot.org/show_bug.cgi?id=2353 Bug ID: 2353 Summary: options allowed for Match blocks missing form documentation Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: Documentation

https://bugzilla.mindrot.org/show_bug.cgi?id=2490 Bug ID: 2490 Summary: allow to set AuthorizedKeysFile none Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

AFAIK everything you described here could be done using the AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These can emit authorized_keys options (inc. permitopen) as well as the allowed keys/principals. On Sun, 12 Nov 2023, Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could

Peter and Jason, thanks for your replies on this. I was able to accomplish this with a combination of Peter's solution and setting "AuthorizedKeysFile none" as suggested in the Stack Overflow question. On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote: > > why aren't the authorized keys/principals commands sufficient? > > $ getent group