[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Misc development news (#8)

On 11403 March 1977, Steve Langasek wrote:

> So tagging a key as belonging to a particular host is insufficient - we need
> the full authorized_keys semantics for setting key options (from=, command=,
> no-port-forwarding, no-X11-forwarding, at least).

And? You have that already, just add that in front of your key as you
would normally do. ud-ldap passes it. It really "only" needs the
"host=gluck,merkel,whatever" addition to also limit it to target hosts
and then all is there.

> There is a workaround available in the form of "ping weasel, get a symlink
> that lets you do your mirroring thing on gluck", but it's still
> unsatisfactory in that it remains easier for users to do the wrong thing by
> giving their single-use keys global rights via LDAP than to coordinate with
> DSA.


Basically the only technical restriction keys have to pass is that
ssh-keygen -l -f $tmpfile has to be able to parse the lines. And it can
parse those options fine.

bye, Joerg
#debian.de @ OFTC
(01:38) <michael> hui, hier wird sonntags gechattet :)
(01:39) <maxx> ja, aber nur zwischen 1:35 und 1:45, wenn der Sonntag der 1. im Monat ist :)
(01:39) <Sahneschnitter> wasn hier los? activity :)

Attachment: pgpfmiNaAM1OT.pgp
Description: PGP signature

Reply to: