Rivoreo Source Code Repositories
src.rivoreo.one / security / openssh-library / 30da3447d2ef3329cb0eb083cdddf84532659454
commit30da3447d2ef3329cb0eb083cdddf84532659454[log] [download]
authorDamien Miller <djm@mindrot.org>Mon May 10 11:58:03 2010 +1000
committerDamien Miller <djm@mindrot.org>Mon May 10 11:58:03 2010 +1000
tree02537d2355d77cc15d1bf9d266d474e660848012
parent099fc1634e1cc0f96b77a811e554bf9d796def8f [diff]
   - djm@cvs.openbsd.org 2010/05/07 11:30:30
     [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
     [key.c servconf.c servconf.h sshd.8 sshd_config.5]
     add some optional indirection to matching of principal names listed
     in certificates. Currently, a certificate must include the a user's name
     to be accepted for authentication. This change adds the ability to
     specify a list of certificate principal names that are acceptable.

     When authenticating using a CA trusted through ~/.ssh/authorized_keys,
     this adds a new principals="name1[,name2,...]" key option.

     For CAs listed through sshd_config's TrustedCAKeys option, a new config
     option "AuthorizedPrincipalsFile" specifies a per-user file containing
     the list of acceptable names.

     If either option is absent, the current behaviour of requiring the
     username to appear in principals continues to apply.

     These options are useful for role accounts, disjoint account namespaces
     and "user@realm"-style naming policies in certificates.

     feedback and ok markus@
11 files changed
tree: 02537d2355d77cc15d1bf9d266d474e660848012
  1. .cvsignore
  2. CREDITS
  3. ChangeLog
  4. INSTALL
  5. LICENCE
  6. Makefile.in
  7. OVERVIEW
  8. PROTOCOL
  9. PROTOCOL.agent
  10. PROTOCOL.certkeys
  11. PROTOCOL.mux
  12. README
  13. README.dns
  14. README.platform
  15. README.privsep
  16. README.tun
  17. TODO
  18. WARNING.RNG
  19. aclocal.m4
  20. acss.c
  21. acss.h
  22. addrmatch.c
  23. atomicio.c
  24. atomicio.h
  25. audit-bsm.c
  26. audit.c
  27. audit.h
  28. auth-bsdauth.c
  29. auth-chall.c
  30. auth-krb5.c
  31. auth-options.c
  32. auth-options.h
  33. auth-pam.c
  34. auth-pam.h
  35. auth-passwd.c
  36. auth-rh-rsa.c
  37. auth-rhosts.c
  38. auth-rsa.c
  39. auth-shadow.c
  40. auth-sia.c
  41. auth-sia.h
  42. auth-skey.c
  43. auth.c
  44. auth.h
  45. auth1.c
  46. auth2-chall.c
  47. auth2-gss.c
  48. auth2-hostbased.c
  49. auth2-jpake.c
  50. auth2-kbdint.c
  51. auth2-none.c
  52. auth2-passwd.c
  53. auth2-pubkey.c
  54. auth2.c
  55. authfd.c
  56. authfd.h
  57. authfile.c
  58. authfile.h
  59. bufaux.c
  60. bufbn.c
  61. buffer.c
  62. buffer.h
  63. buildpkg.sh.in
  64. canohost.c
  65. canohost.h
  66. channels.c
  67. channels.h
  68. cipher-3des1.c
  69. cipher-acss.c
  70. cipher-aes.c
  71. cipher-bf1.c
  72. cipher-ctr.c
  73. cipher.c
  74. cipher.h
  75. cleanup.c
  76. clientloop.c
  77. clientloop.h
  78. compat.c
  79. compat.h
  80. compress.c
  81. compress.h
  82. config.guess
  83. config.sub
  84. configure.ac
  85. contrib/
  86. crc32.c
  87. crc32.h
  88. deattack.c
  89. deattack.h
  90. defines.h
  91. dh.c
  92. dh.h
  93. dispatch.c
  94. dispatch.h
  95. dns.c
  96. dns.h
  97. entropy.c
  98. entropy.h
  99. fatal.c
  100. fixpaths
  101. fixprogs
  102. groupaccess.c
  103. groupaccess.h
  104. gss-genr.c
  105. gss-serv-krb5.c
  106. gss-serv.c
  107. hostfile.c
  108. hostfile.h
  109. includes.h
  110. install-sh
  111. jpake.c
  112. jpake.h
  113. kex.c
  114. kex.h
  115. kexdh.c
  116. kexdhc.c
  117. kexdhs.c
  118. kexgex.c
  119. kexgexc.c
  120. kexgexs.c
  121. key.c
  122. key.h
  123. log.c
  124. log.h
  125. loginrec.c
  126. loginrec.h
  127. logintest.c
  128. mac.c
  129. mac.h
  130. match.c
  131. match.h
  132. md-sha256.c
  133. md5crypt.c
  134. md5crypt.h
  135. mdoc2man.awk
  136. misc.c
  137. misc.h
  138. mkinstalldirs
  139. moduli
  140. moduli.5
  141. moduli.c
  142. monitor.c
  143. monitor.h
  144. monitor_fdpass.c
  145. monitor_fdpass.h
  146. monitor_mm.c
  147. monitor_mm.h
  148. monitor_wrap.c
  149. monitor_wrap.h
  150. msg.c
  151. msg.h
  152. mux.c
  153. myproposal.h
  154. nchan.c
  155. nchan.ms
  156. nchan2.ms
  157. openbsd-compat/
  158. openssh.xml.in
  159. opensshd.init.in
  160. packet.c
  161. packet.h
  162. pathnames.h
  163. pkcs11.h
  164. platform.c
  165. platform.h
  166. progressmeter.c
  167. progressmeter.h
  168. readconf.c
  169. readconf.h
  170. readpass.c
  171. regress/
  172. rijndael.c
  173. rijndael.h
  174. roaming.h
  175. roaming_client.c
  176. roaming_common.c
  177. roaming_dummy.c
  178. roaming_serv.c
  179. rsa.c
  180. rsa.h
  181. scard/
  182. schnorr.c
  183. schnorr.h
  184. scp.1
  185. scp.c
  186. servconf.c
  187. servconf.h
  188. serverloop.c
  189. serverloop.h
  190. session.c
  191. session.h
  192. sftp-client.c
  193. sftp-client.h
  194. sftp-common.c
  195. sftp-common.h
  196. sftp-glob.c
  197. sftp-server-main.c
  198. sftp-server.8
  199. sftp-server.c
  200. sftp.1
  201. sftp.c
  202. sftp.h
  203. ssh-add.1
  204. ssh-add.c
  205. ssh-agent.1
  206. ssh-agent.c
  207. ssh-dss.c
  208. ssh-gss.h
  209. ssh-keygen.1
  210. ssh-keygen.c
  211. ssh-keyscan.1
  212. ssh-keyscan.c
  213. ssh-keysign.8
  214. ssh-keysign.c
  215. ssh-pkcs11-client.c
  216. ssh-pkcs11-helper.8
  217. ssh-pkcs11-helper.c
  218. ssh-pkcs11.c
  219. ssh-pkcs11.h
  220. ssh-rand-helper.8
  221. ssh-rand-helper.c
  222. ssh-rsa.c
  223. ssh.1
  224. ssh.c
  225. ssh.h
  226. ssh1.h
  227. ssh2.h
  228. ssh_config
  229. ssh_config.5
  230. ssh_prng_cmds.in
  231. sshconnect.c
  232. sshconnect.h
  233. sshconnect1.c
  234. sshconnect2.c
  235. sshd.8
  236. sshd.c
  237. sshd_config
  238. sshd_config.5
  239. sshlogin.c
  240. sshlogin.h
  241. sshpty.c
  242. sshpty.h
  243. sshtty.c
  244. survey.sh.in
  245. ttymodes.c
  246. ttymodes.h
  247. uidswap.c
  248. uidswap.h
  249. umac.c
  250. umac.h
  251. uuencode.c
  252. uuencode.h
  253. version.h
  254. xmalloc.c
  255. xmalloc.h