tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

organise the token stuff into a separate section; ok
markus for an earlier version of the diff ok/tweaks djm

Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
This commit is contained in:
jmc@openbsd.org 2016-09-22 19:19:01 +00:00 committed by Damien Miller
parent 16277fc45f
commit de6a175a99
1 changed files with 85 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
sshd_config.5
View File

@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.234 2016/09/22 17:55:13 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.235 2016/09/22 19:19:01 jmc Exp $
.Dd $Mdocdate: September 22 2016 $ .Dd $Mdocdate: September 22 2016 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
@ -240,22 +240,21 @@ of a single authentication method is sufficient.
Specifies a program to be used to look up the user's public keys. Specifies a program to be used to look up the user's public keys.
The program must be owned by root, not writable by group or others and The program must be owned by root, not writable by group or others and
specified by an absolute path. specified by an absolute path.
.Pp
Arguments to Arguments to
.Cm AuthorizedKeysCommand .Cm AuthorizedKeysCommand
may be provided using the following tokens, which will be expanded accept the tokens described in the
at runtime: %% is replaced by a literal '%', %u is replaced by the .Sx TOKENS
username being authenticated, %h is replaced by the home directory section.
of the user being authenticated, %t is replaced with the key type If no arguments are specified then the username of the target user is used.
offered for authentication, %f is replaced with the fingerprint of
the key, and %k is replaced with the key being offered for authentication.
If no arguments are specified then the username of the target user
will be supplied.
.Pp .Pp
The program should produce on standard output zero or The program should produce on standard output zero or
more lines of authorized_keys output (see AUTHORIZED_KEYS in more lines of authorized_keys output (see
.Sx AUTHORIZED_KEYS
in
.Xr sshd 8 ) . .Xr sshd 8 ) .
If a key supplied by AuthorizedKeysCommand does not successfully authenticate If a key supplied by
.Cm AuthorizedKeysCommand
does not successfully authenticate
and authorize the user then public key authentication continues using the usual and authorize the user then public key authentication continues using the usual
.Cm AuthorizedKeysFile .Cm AuthorizedKeysFile
files. files.
@ -272,18 +271,16 @@ is not, then
.Xr sshd 8 .Xr sshd 8
will refuse to start. will refuse to start.
.It Cm AuthorizedKeysFile .It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used Specifies the file that contains the public keys used for user authentication.
for user authentication.
The format is described in the The format is described in the
AUTHORIZED_KEYS FILE FORMAT .Sx AUTHORIZED_KEYS FILE FORMAT
section of section of
.Xr sshd 8 . .Xr sshd 8 .
Arguments to
.Cm AuthorizedKeysFile .Cm AuthorizedKeysFile
may contain tokens of the form %T which are substituted during connection accept the tokens described in the
setup. .Sx TOKENS
The following tokens are defined: %% is replaced by a literal '%', section.
%h is replaced by the home directory of the user being authenticated, and
%u is replaced by the username of that user.
After expansion, After expansion,
.Cm AuthorizedKeysFile .Cm AuthorizedKeysFile
is taken to be an absolute path or one relative to the user's home is taken to be an absolute path or one relative to the user's home
@ -300,24 +297,12 @@ certificate principals as per
.Cm AuthorizedPrincipalsFile . .Cm AuthorizedPrincipalsFile .
The program must be owned by root, not writable by group or others and The program must be owned by root, not writable by group or others and
specified by an absolute path. specified by an absolute path.
.Pp
Arguments to Arguments to
.Cm AuthorizedPrincipalsCommand .Cm AuthorizedPrincipalsCommand
may be provided using the following tokens, which will be expanded accept the tokens described in the
at runtime: .Sx TOKENS
%% is replaced by a literal '%', section.
%F with the fingerprint of the CA key, If no arguments are specified then the username of the target user is used.
%f is replaced with certificate fingerprint,
%K is replaced with the base-64 encoded CA key.
%k is replaced with the full base-64 encoded certificate,
%h is replaced with the home directory of the user being authenticated,
%i is replaced with key ID in the certificate,
%s is replaced with the serial number of the certificate,
%T with the type of the CA key,
%t is replaced with type of the certificate being offered, and
%u is replaced by the username being authenticated,
If no arguments are specified then the username of the target user
will be supplied.
.Pp .Pp
The program should produce on standard output zero or The program should produce on standard output zero or
more lines of more lines of
@ -329,9 +314,13 @@ or
.Cm AuthorizedPrincipalsFile .Cm AuthorizedPrincipalsFile
is specified, then certificates offered by the client for authentication is specified, then certificates offered by the client for authentication
must contain a principal that is listed. must contain a principal that is listed.
By default, no AuthorizedPrincipalsCommand is run. By default, no
.Cm AuthorizedPrincipalsCommand
is run.
.It Cm AuthorizedPrincipalsCommandUser .It Cm AuthorizedPrincipalsCommandUser
Specifies the user under whose account the AuthorizedPrincipalsCommand is run. Specifies the user under whose account the
.Cm AuthorizedPrincipalsCommand
is run.
It is recommended to use a dedicated user that has no other role on the host It is recommended to use a dedicated user that has no other role on the host
than running authorized principals commands. than running authorized principals commands.
If If
@ -348,29 +337,28 @@ When using certificates signed by a key listed in
.Cm TrustedUserCAKeys , .Cm TrustedUserCAKeys ,
this file lists names, one of which must appear in the certificate for it this file lists names, one of which must appear in the certificate for it
to be accepted for authentication. to be accepted for authentication.
Names are listed one per line preceded by key options (as described Names are listed one per line preceded by key options (as described in
in AUTHORIZED_KEYS FILE FORMAT in .Sx AUTHORIZED_KEYS FILE FORMAT
in
.Xr sshd 8 ) . .Xr sshd 8 ) .
Empty lines and comments starting with Empty lines and comments starting with
.Ql # .Ql #
are ignored. are ignored.
.Pp .Pp
Arguments to
.Cm AuthorizedPrincipalsFile .Cm AuthorizedPrincipalsFile
may contain tokens of the form %T which are substituted during connection accept the tokens described in the
setup. .Sx TOKENS
The following tokens are defined: %% is replaced by a literal '%', section.
%h is replaced by the home directory of the user being authenticated, and
%u is replaced by the username of that user.
After expansion, After expansion,
.Cm AuthorizedPrincipalsFile .Cm AuthorizedPrincipalsFile
is taken to be an absolute path or one relative to the user's home is taken to be an absolute path or one relative to the user's home directory.
directory.
.Pp
The default is The default is
.Dq none , .Dq none ,
i.e. not to use a principals file \(en in this case, the username i.e. not to use a principals file \(en in this case, the username
of the user must appear in a certificate's principals list for it to be of the user must appear in a certificate's principals list for it to be
accepted. accepted.
.Pp
Note that Note that
.Cm AuthorizedPrincipalsFile .Cm AuthorizedPrincipalsFile
is only used when authentication proceeds using a CA listed in is only used when authentication proceeds using a CA listed in
@ -406,11 +394,11 @@ which are not writable by any other user or group.
After the chroot, After the chroot,
.Xr sshd 8 .Xr sshd 8
changes the working directory to the user's home directory. changes the working directory to the user's home directory.
.Pp Arguments to
The pathname may contain the following tokens that are expanded at runtime once .Cm ChrootDirectory
the connecting user has been authenticated: %% is replaced by a literal '%', accept the tokens described in the
%h is replaced by the home directory of the user being authenticated, and .Sx TOKENS
%u is replaced by the username of that user. section.
.Pp .Pp
The The
.Cm ChrootDirectory .Cm ChrootDirectory
@ -1665,6 +1653,50 @@ Time format examples:
.It 1h30m .It 1h30m
1 hour 30 minutes (90 minutes) 1 hour 30 minutes (90 minutes)
.El .El
.Sh TOKENS
Arguments to some keywords can make use of tokens,
which are expanded at runtime:
.Pp
.Bl -tag -width XXXX -offset indent -compact
.It %%
A literal
.Sq % .
.It %F
The fingerprint of the CA key.
.It %f
The fingerprint of the key or certificate.
.It %h
The home directory of the user.
.It %i
The key ID in the certificate.
.It %K
The base64-encoded CA key.
.It %k
The base64-encoded key or certificate for authentication.
.It %s
The serial number of the certificate.
.It \&%T
The type of the CA key.
.It %t
The key or certificate type.
.It %u
The username.
.El
.Pp
.Cm AuthorizedKeysCommand
accepts the tokens %%, %f, %h, %t, and %u.
.Pp
.Cm AuthorizedKeysFile
accepts the tokens %%, %h, and %u.
.Pp
.Cm AuthorizedPrincipalsCommand
accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u.
.Pp
.Cm AuthorizedPrincipalsFile
accepts the tokens %%, %h, and %u.
.Pp
.Cm ChrootDirectory
accepts the tokens %%, %h, and %u.
.Sh FILES .Sh FILES
.Bl -tag -width Ds .Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config .It Pa /etc/ssh/sshd_config