Bug 2696

Summary:

Allow to restrict access to service using authentication indicators

Product:

Portable OpenSSH

Reporter:

Jakub Jelen <jjelen>

Component:

Kerberos support

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

enhancement

CC:

djm

Priority:

Keywords:

patch

Version:

7.4p1

Hardware:

Other

OS:

Linux

Attachments:

Description	Flags
allow specify auth-indicators	none

Description Jakub Jelen 2017-03-22 01:12:40 AEDT

Created attachment 2965 [details]
allow specify auth-indicators

Kerberos 1.14 introduced authentication indicators [1], which allows us to distinguish methods used to acquire specific kerberos token.

This policy can be specified either on the KDC side (you will not be granted a ticket for SSH service) or on the side of service (as implemented here).

The authentication indicators are exposed to the service as a named attributes and therefore simply accessible. This change also implements new configuration option GSSAPIRequiredAuthIndicators which allows to specify space separated list of indicators that are eligible to access this service.

[1] https://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator

Comment 1 Damien Miller 2017-05-01 18:25:11 AEST

err, I meant "breaks the transparency of ssh-add"

Comment 2 Damien Miller 2017-05-01 18:25:28 AEST

oops, wrong bug

Comment 3 Jakub Jelen 2017-05-31 17:19:42 AEST

Adjusting to the correct component. Any feedback would be welcomed.