mirror of git://anongit.mindrot.org/openssh.git
upstream: ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow restricting where keys may be used in conjunction with a ssh-agent/ssh that supports session ID/hostkey binding. Constraints are specified as either "[user@]host-pattern" or "host-pattern>[user@]host-pattern". The first form permits a key to be used to authenticate as the specified user to the specified host. The second form permits a key that has previously been permitted for use at a host to be available via a forwarded agent to an additional host. For example, constraining a key with "user1@host_a" and "host_a>host_b". Would permit authentication as "user1" at "host_a", and allow the key to be available on an agent forwarded to "host_a" only for authentication to "host_b". The key would not be visible on agent forwarded to other hosts or usable for authentication there. Internally, destination constraints use host keys to identify hosts. The host patterns are used to obtain lists of host keys for that destination that are communicated to the agent. The user/hostkeys are encoded using a new restrict-destination-v00@openssh.com key constraint. host keys are looked up in the default client user/system known_hosts files. It is possible to override this set on the command-line. feedback Jann Horn & markus@ ok markus@ OpenBSD-Commit-ID: 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5
This commit is contained in:
parent
5e950d7657
commit
ce943912df
|
@ -23,6 +23,7 @@ d9b910e412d139141b072a905e66714870c38ac0 Makefile.inc
|
||||||
07b5031e9f49f2b69ac5e85b8da4fc9e393992a0 Makefile.inc
|
07b5031e9f49f2b69ac5e85b8da4fc9e393992a0 Makefile.inc
|
||||||
cc12a9029833d222043aecd252d654965c351a69 moduli-gen Makefile
|
cc12a9029833d222043aecd252d654965c351a69 moduli-gen Makefile
|
||||||
7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b moduli update
|
7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b moduli update
|
||||||
|
6b52cd2b637f3d29ef543f0ce532a2bce6d86af5 makefile change
|
||||||
|
|
||||||
Old upstream tree:
|
Old upstream tree:
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue