This patch adds support for entries in authorized_keys which reference Kerberos principal names, GSI/X.509 certificate names when doing Kerberos or GSS authentication. Also included is support for authorized_keys entries which are patterns matching such names. Also included is support for a new authorized_keys entry option, "deny-access." With this patch sshd also sets environment variables to indicate the client's authenticated name, if a named authorized_keys entry matches. These simple features simplify key management and authorized_keys file management in environments where Kerberos or GSI are in use with OpenSSH (see Simon Wilkinson's patch to OpenSSH that implements the gsskeyex draft). These features represent a much more general authorization system for Kerberos than .klogin or .k5login, and apply to other authentication mechanisms as well (again, GSI/X.509, and, in the future, when direct X.509 support is added to OpenSSH, x.509). These features, or a variation thereof, in OpenSSH, would be greatly appreciated.
Since we don't support any of these key types, and have no plans to support these key types, this enhancement isn't going to be made for the foreseeable future. WONTFIX, until one of these preconditions is met.
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.