version 1.120, 2010/03/04 23:17:25 |
version 1.121, 2010/05/07 11:30:30 |
|
|
directory. |
directory. |
The default is |
The default is |
.Dq .ssh/authorized_keys . |
.Dq .ssh/authorized_keys . |
|
.It Cm AuthorizedPrincipalsFile |
|
Specifies a file that lists principal names that are accepted for |
|
certificate authentication. |
|
When using certificates signed by a key listed in |
|
.Cm TrustedUserCAKeys , |
|
this file lists names, one of which must appear in the certificate for it |
|
to be accepted for authentication. |
|
Names are listed one per line; empty lines and comments starting with |
|
.Ql # |
|
are ignored. |
|
.Pp |
|
.Cm AuthorizedPrincipalsFile |
|
may contain tokens of the form %T which are substituted during connection |
|
setup. |
|
The following tokens are defined: %% is replaced by a literal '%', |
|
%h is replaced by the home directory of the user being authenticated, and |
|
%u is replaced by the username of that user. |
|
After expansion, |
|
.Cm AuthorizedPrincipalsFile |
|
is taken to be an absolute path or one relative to the user's home |
|
directory. |
|
.Pp |
|
The default is not to use a principals file - in this case, the username |
|
of the user must appear in a certificate's principals list for it to be |
|
accepted. |
|
Note that |
|
.Cm AuthorizedPrincipalsFile |
|
is only used when authentication proceeds using a CA listed in |
|
.Cm TrustedUserCAKeys |
|
and is not consulted for certification authorities trusted via |
|
.Pa ~/.ssh/authorized_keys , |
|
though the |
|
.Cm principals= |
|
key option offers a similar facility (see |
|
.Xr sshd 8 |
|
for details). |
|
.Pp |
.It Cm Banner |
.It Cm Banner |
The contents of the specified file are sent to the remote user before |
The contents of the specified file are sent to the remote user before |
authentication is allowed. |
authentication is allowed. |