diff options
| author | Damien Miller <djm@mindrot.org> | 2010-05-21 06:58:32 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-05-21 06:58:32 +0200 |
| commit | d0e4a8e2e0bc6fcee6cd8486fbcdffaf7d037aed (patch) | |
| tree | a5e02fcbb2a55a16b877e960edd2b8f1adde8389 /PROTOCOL.certkeys | |
| parent | - djm@cvs.openbsd.org 2010/05/20 11:25:26 (diff) | |
| download | openssh-d0e4a8e2e0bc6fcee6cd8486fbcdffaf7d037aed.tar.xz openssh-d0e4a8e2e0bc6fcee6cd8486fbcdffaf7d037aed.zip | |
- djm@cvs.openbsd.org 2010/05/20 23:46:02
[PROTOCOL.certkeys auth-options.c ssh-keygen.c]
Move the permit-* options to the non-critical "extensions" field for v01
certificates. The logic is that if another implementation fails to
implement them then the connection just loses features rather than fails
outright.
ok markus@
Diffstat (limited to 'PROTOCOL.certkeys')
| -rw-r--r-- | PROTOCOL.certkeys | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 0fa5748f3..81b02a078 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys @@ -131,7 +131,7 @@ must refuse to authorise a key that has an unrecognised option. extensions is a set of zero or more optional extensions. These extensions are not critical, and an implementation that encounters one that it does -not recognise may safely ignore it. No extensions are defined at present. +not recognise may safely ignore it. The reserved field is currently unused and is ignored in this version of the protocol. @@ -172,6 +172,28 @@ force-command string Specifies a command that is executed ssh command-line) whenever this key is used for authentication. +source-address string Comma-separated list of source addresses + from which this certificate is accepted + for authentication. Addresses are + specified in CIDR format (nn.nn.nn.nn/nn + or hhhh::hhhh/nn). + If this option is not present then + certificates may be presented from any + source address. + +Extensions +---------- + +The extensions section of the certificate specifies zero or more +non-critical certificate extensions. The encoding of extensions in this +field is identical to that of the critical options. If an implementation +does not recognise an extension, then it should ignore it. + +The supported extensions and the contents and structure of their data +fields are: + +Name Format Description +----------------------------------------------------------------------------- permit-X11-forwarding empty Flag indicating that X11 forwarding should be permitted. X11 forwarding will be refused if this option is absent. @@ -196,13 +218,4 @@ permit-user-rc empty Flag indicating that execution of of this script will not be permitted if this option is not present. -source-address string Comma-separated list of source addresses - from which this certificate is accepted - for authentication. Addresses are - specified in CIDR format (nn.nn.nn.nn/nn - or hhhh::hhhh/nn). - If this option is not present then - certificates may be presented from any - source address. - -$OpenBSD: PROTOCOL.certkeys,v 1.5 2010/05/01 02:50:50 djm Exp $ +$OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $ |