Mailing List Archive

[Bug 3440] New: RFE: be able to use "Match exec" on SSHD server side
https://bugzilla.mindrot.org/show_bug.cgi?id=3440

Bug ID: 3440
Summary: RFE: be able to use "Match exec" on SSHD server side
Product: Portable OpenSSH
Version: v9.0p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: rmetrich@redhat.com

We have customers at Red Hat wanting to have a different SSHD
configuration snippet based on user's name (e.g. to force
keyboard-interactive authentication when user is "LLNNNNN" (L = letter,
N = digit)).

The "User" token pattern matching isn't smart enough to filter this
kind of "LLNNNNN" pattern.

IMHO this requires having the possibility to use the "exec" token in
Match stanza on the server side, but this isn't possible for now:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
--------
Match Introduces a conditional block. [...]

The arguments to Match are one or more criteria-pattern
pairs or the single token All which matches
all criteria. The available criteria are User, Group,
Host, LocalAddress, LocalPort, RDomain, and
Address (with RDomain representing the rdomain(4) on which
the connection was received).
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
--------

Allowing the use of "exec" would enable having tons of customizations
possible.

Additionally there is no simple workaround available for now, it
requires having multiple SSHD instances, one for "normal users" and one
for "LLNNNNN" users, but this isn't enough, it also requires crafting a
PAM module to prohibit the "LLNNNNN" users from connecting through the
"normal users" instance, which makes the workaround difficult to
implement.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs