jirib

Hello,

I was reading about ssh & certificates and was curious how to
inform logging user about this certificate expiration.

IIRC it is not possible by default now, so an option would be to
have a repository with all signed certificates and check the certs
for expiration. Then next idea was how to inform logging user via
a ForceCommand script before he gets login shell.

But the issue here is how to get trusted info about the certificate
the logging user is using for the session?

Maybe it would be nice to have certificate fingerprint in environment
variable which would be created by SSH, something like

  SSH_USERFPRINT="7a:e7:60:fd:e8:ac:3a:52:fe:c9:e2:6c:74:34:95:a1"

then it would be piece of cake to query the repository with all signed
certs.

I can see same benefit for ssh keys too, for example one could work
with comments inside public keys (of course not writable authorized_key
by logged user).

  sshd[22652]: Found matching RSA key: 7a:e7:60:fd:e8:ac:3a:52:fe:c9:e2:6c:74:34:95:a1

Or do you know other easy way to inform an user about cert expiration
during login?

jirib

I'm very surprised to see something like this. Comparing with
normal unix filesystem, 'sftpuser' would not even enter such
directory. Is this OK?

* sftpuser has only group 'sftpuser'

$ sftp sftpuser@localhost
Connected to localhost.
sftp> cd /
sftp> ls -l
drwxr-xr-x    2 0        0             512 May 21 18:43 dev
drwx-----x   12 1000     1000          512 May 21 18:32 jirib
drwxr-xr-x   10 1000     1000          512 May 21 18:32 pub
sftp> cd jirib
sftp> pwd
Remote working directory: /jirib
sftp> ls -al
remote readdir("/jirib"): Permission denied

j.

Read more »

dhclient does not accept any options, this is hardcoded
in /etc/netstart. Maybe you can start to test with a new
dhclient_flags in /etc/rc.conf{.local} and modify
/etc/netstart's 67th line to use dhclient_flags...

but it would become complex if you want to have
specific options for specific interfaces...

jirib

Read more »