SSSD / sssd

Clone

6f7f156 ssh: fix matching rules default

5 files Authored by sbose 4 years ago, Committed by pbrezina 4 years ago,
raw patch tree parent
5 files changed. 93 lines added. 9 lines removed.
src/man/sssd.conf.5.xml
file modified
+8 -1
src/responder/pam/pam_helpers.h
file modified
+2 -0
src/responder/pam/pamsrv_p11.c
file modified
+1 -2
src/responder/ssh/ssh_cmd.c
file modified
+24 -6
src/tests/cmocka/test_ssh_srv.c
file modified
+58 -0 
    ssh: fix matching rules default
    
    Before the ssh_use_certificate_matching_rules option was added the ssh
    responder returned ssh keys derived from all valid certificates. Since
    the default of the ssh_use_certificate_matching_rules option is
    'all_rules' in a case where no matching rules are defined all
    certificated will be filtered out and no ssh keys are returned.
    
    The intention of the default was to allow the same same certificates
    which are allowed in the PAM responder for authentication. The missing
    default matching rule which is currently use by the PAM responder if no
    other rules are available is added by this patch.
    
    There might still be a small regression in case certificates without the
    extended key usage (EKU) clientAuth were used for ssh. In this case
    'ssh_use_certificate_matching_rules = no_rules' or a suitable matching
    rule must be added to the configuration.
    
    Related to https://pagure.io/SSSD/sssd/issue/4121
    
    Reviewed-by: Tomáš Halman <thalman@redhat.com>
file modified
+8 -1
file modified
+2 -0
file modified
+1 -2
file modified
+24 -6
file modified
+58 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.