On 10/5/2019 3:26 AM, Damien Miller wrote:
On Fri, 4 Oct 2019, Friedrich Schaeuffelhut wrote:
SSH supports ~/.ssh/authorzied_keys for SSH keys and
~/.ssh/authorized_principals for X509 certs.
I could not find an equivalent of authorzied_keys
using Kerberos authentication.
I think you want ~/.k5login, but it's been years since I've used
kerberos.
Looking at the current portable code, it appears to just call
krb5_kuserok(). That may look at k5login (the location of which is
configurable), krb5_aname_to_localname(), a custom method, or multiple
of the above, depending on which kerberos library is in use and how it
is configured. (Note that Red Hat has muddied the waters with their
patches, but let's ignore that).
To support the OP's ask of ForceCommand, etc., OpenSSH would need to
either support exposing the client principal as a type which can be used
in a Match block, or add Yet Another authorized_foo file (or extend the
format of an existing one).
I think exposing the authorized_foo functionality via Match operators
would be a more elegant solution, but I don't know how difficult that
would be to code, as I haven't looked at when (and in which process)
they are evaluated.
--
Carson
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
