summaryrefslogtreecommitdiff
path: root/usr.bin/colcrt
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2010-05-07 11:30:31 +0000
committerDamien Miller <djm@cvs.openbsd.org>2010-05-07 11:30:31 +0000
commit52c11610cb668bb2d16beeab8db488503604b9bc (patch)
tree34c8bc058192aa4e55e8ec49458d4a5ac80b5e4a /usr.bin/colcrt
parentdf6345e4898e4044424852df9eb6883ca20963c5 (diff)
add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
Diffstat (limited to 'usr.bin/colcrt')
0 files changed, 0 insertions, 0 deletions