git.ipfire.org Git - thirdparty/openssh-portable.git/commit

author	djm@openbsd.org <djm@openbsd.org>
	Sun, 19 Dec 2021 22:10:24 +0000 (22:10 +0000)
committer	Damien Miller <djm@mindrot.org>
	Sun, 19 Dec 2021 22:25:17 +0000 (09:25 +1100)
commit	5e950d765727ee0b20fc3d2cbb0c790b21ac2425
tree	9c93c8a36465ed4289f02eb3c962b3d1b02e0de5	tree
parent	4c1e3ce85e183a9d0c955c88589fed18e4d6a058	commit \| diff

upstream: ssh-add side of destination constraints

Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.

Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".

The first form permits a key to be used to authenticate as the
specified user to the specified host.

The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.

For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.

Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.

host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.

feedback Jann Horn & markus@
ok markus@

OpenBSD-Commit-ID: ef47fa9ec0e3c2a82e30d37ef616e245df73163e

authfd.c		diff \| blob \| blame \| history
authfd.h		diff \| blob \| blame \| history
ssh-add.c		diff \| blob \| blame \| history
sshconnect.c		diff \| blob \| blame \| history