On 11403 March 1977, Steve Langasek wrote: > So tagging a key as belonging to a particular host is insufficient - we need > the full authorized_keys semantics for setting key options (from=, command=, > no-port-forwarding, no-X11-forwarding, at least). And? You have that already, just add that in front of your key as you would normally do. ud-ldap passes it. It really "only" needs the "host=gluck,merkel,whatever" addition to also limit it to target hosts and then all is there. > There is a workaround available in the form of "ping weasel, get a symlink > that lets you do your mirroring thing on gluck", but it's still > unsatisfactory in that it remains easier for users to do the wrong thing by > giving their single-use keys global rights via LDAP than to coordinate with > DSA. Wrong. Basically the only technical restriction keys have to pass is that ssh-keygen -l -f $tmpfile has to be able to parse the lines. And it can parse those options fine. -- bye, Joerg #debian.de @ OFTC (01:38) <michael> hui, hier wird sonntags gechattet :) (01:39) <maxx> ja, aber nur zwischen 1:35 und 1:45, wenn der Sonntag der 1. im Monat ist :) (01:39) <Sahneschnitter> wasn hier los? activity :)
Attachment:
pgpfmiNaAM1OT.pgp
Description: PGP signature