git.ipfire.org Git - thirdparty/openssh-portable.git/commit

author	djm@openbsd.org <djm@openbsd.org>
	Sun, 19 Dec 2021 22:11:06 +0000 (22:11 +0000)
committer	Damien Miller <djm@mindrot.org>
	Sun, 19 Dec 2021 22:27:06 +0000 (09:27 +1100)
commit	ce943912df812c573a33d00bf9e5435b7fcca3f7
tree	3ddc5d2f5b380b80fede63626ba448b4f08ed59c	tree \| snapshot
parent	5e950d765727ee0b20fc3d2cbb0c790b21ac2425	commit \| diff

upstream: ssh-add side of destination constraints

Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.

Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".

The first form permits a key to be used to authenticate as the
specified user to the specified host.

The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.

For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.

Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.

host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.

feedback Jann Horn & markus@
ok markus@

OpenBSD-Commit-ID: 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5