Bug 2696 - Allow to restrict access to service using authentication indicators
Summary: Allow to restrict access to service using authentication indicators
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: 7.4p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-03-22 01:12 AEDT by Jakub Jelen
Modified: 2017-05-31 17:19 AEST (History)
1 user (show)

See Also:

Attachments
allow specify auth-indicators (9.89 KB, patch)
2017-03-22 01:12 AEDT, Jakub Jelen 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2017-03-22 01:12:40 AEDT 
Created attachment 2965 [details]
allow specify auth-indicators

Kerberos 1.14 introduced authentication indicators [1], which allows us to distinguish methods used to acquire specific kerberos token.

This policy can be specified either on the KDC side (you will not be granted a ticket for SSH service) or on the side of service (as implemented here).

The authentication indicators are exposed to the service as a named attributes and therefore simply accessible. This change also implements new configuration option GSSAPIRequiredAuthIndicators which allows to specify space separated list of indicators that are eligible to access this service.

[1] https://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator
Comment 1 Damien Miller 2017-05-01 18:25:11 AEST 
err, I meant "breaks the transparency of ssh-add"
Comment 2 Damien Miller 2017-05-01 18:25:28 AEST 
oops, wrong bug
Comment 3 Jakub Jelen 2017-05-31 17:19:42 AEST 
Adjusting to the correct component. Any feedback would be welcomed.