diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-12-19 22:10:24 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-12-20 09:25:17 +1100 |
| commit | 5e950d765727ee0b20fc3d2cbb0c790b21ac2425 (patch) | |
| tree | 9c93c8a36465ed4289f02eb3c962b3d1b02e0de5 /sshconnect.c | |
| parent | 4c1e3ce85e183a9d0c955c88589fed18e4d6a058 (diff) | |
| download | openssh-git-5e950d765727ee0b20fc3d2cbb0c790b21ac2425.tar.gz | |
upstream: ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: ef47fa9ec0e3c2a82e30d37ef616e245df73163e
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sshconnect.c b/sshconnect.c index fcf87bb7..ebecc837 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.355 2021/07/02 05:11:21 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.356 2021/12/19 22:10:24 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1700,7 +1700,7 @@ maybe_add_key_to_agent(const char *authfile, struct sshkey *private, if ((r = ssh_add_identity_constrained(auth_sock, private, comment == NULL ? authfile : comment, options.add_keys_to_agent_lifespan, - (options.add_keys_to_agent == 3), 0, skprovider)) == 0) + (options.add_keys_to_agent == 3), 0, skprovider, NULL, 0)) == 0) debug("identity added to agent: %s", authfile); else debug("could not add identity to agent: %s (%d)", authfile, r); |