Keynote in OpenSSH ------------------ To enable Keynote policy support, build OpenSSH using "make KEYNOTE=yes" System policies go in /etc/sshd_policy and are always read. User policies are conditional on server config directive "LoadUserPolicies" and live in ~/.ssh/policy. Both policies are loaded with ASSERT_FLAG_LOCAL set. Global action variables app_domain = "SSH" user user_id group_id shell remote_ip remote_port time_of_day (encoded as HHMMSS) day_of_week (Sunday = 0) date (encoded as YYYYMMDD) protocol ("1" or "2") client_version completed_authentications Protocol 2 specific: kex_type (key exchange type) cipher2_ctos (cipher used client->server for ssh2) mac2_ctos comp2_ctos cipher2_stoc mac2_stoc comp2_stoc Protocol 1 specific: cipher1 Specific access control checks and local action variables: Authentication - return values: true, false completed_authentications is populated with a comma-seperated list of authentications that have been sucessful (regardless of policy checks). This can be used to require multiple authentication (e.g. pubkey + password) using regex queries in the policy assertion. Protocol 1: action = "auth1" auth_type = "password" / "rsa" / "rhosts-rsa" / "rhosts" / "challenge-response" / "kerberos" Upon pubkey verification, the public key is added as an authorizer. SSH Protocol 1 RSA public keys are encoded in the form: sshkey:rsa1_142789799855908362[...]11720372574856523841 Protocol 2: action = "auth2" auth_type = "none" / "publickey" / "password" / "keyboard-interactive" / "hostbased" SSH Protocol 2 keys are encoded as: sshkey:ssh-rsa_AAAAB3NzaC1yc2a[...]pMauaWV+G2LBcYtfYD8= i.e the public key algorithm name followed by the base 64 encoded public key. Remote '-R' port forwarding setup - tested when port forwarding was requested action = "rport-forward" listen_port Port forwarding connect - check in channel_post_port_listener after accept() action = "lport-forward" target_host target_port Command execution action = "exec" command (may have been modified by forced commands in public key files) original_command (original command specified by user) Shell execution action = "shell" command (will only be present if set by forced commands) Subsystem execution action = "subsys" subsys Agent forwarding action = "agent-forward" PTY request action = "pty-request" SSH1 compression request action = "request-compression1" compression_level = (1 -> 9) X11 forwarding request action = "x11-forward" An example sshd_policy showing most of the options: keynote-version: 2 authorizer: "POLICY" Conditions: (app_domain == "SSH") -> { action == "agent-forward" -> "true"; action == "auth1" -> { auth_type == "password" -> "true"; auth_type == "rsa" -> "true"; auth_type == "rhosts-rsa" -> "true"; auth_type == "rhosts" -> "true"; auth_type == "challenge-response" -> "true"; auth_type == "kerberos" -> "true"; }; action == "auth2" -> { auth_type == "none" -> "true"; auth_type == "publickey" -> "false"; auth_type == "password" -> "true"; auth_type == "keyboard-interactive" -> "true"; auth_type == "hostbased" -> "true"; }; action == "exec" -> "true"; action == "lport-forward" -> "true"; action == "pty-request" -> "true"; action == "request-compression1" -> "true"; action == "rport-forward" -> "true"; action == "shell" -> "true"; action == "subsys" -> "true"; action == "x11-forward" -> "true"; }; Authorizer: "POLICY" Licensees: "sshkey:ssh-rsa_AAAAB3NzaC1yc2EAAAABIwAAAIEA0zFnigHloAYTCsmLgBsHZeJBjs7Q6LCjjBAXe/vPrHh0SfPZIrcpWxuqbuOniXJ0RNmwJMvq/cVIVF1pS/dgtmkgeP/5I1xPX6IvAtJsNi8Df23ypiV++QVxHd76FM683ZzyZC2SBv4nkpXWMuCaapxx0MauaWV+G2LBcYtfYD8=" Conditions: (app_domain == "SSH") -> { action == "auth2" -> { auth_type == "publickey" -> "true"; }; }; };