Discuss this help topic in SecureBlackbox Forum

TElSSHPublicKeyAttributes class

Properties     Methods     Declared in     


TElSSHPublicKeyAttributes is responsible for storing the list of key attributes.

Description

    Attributes are pairs of text name and text value. Attributes are stores on server along with key and returned to the user by request. When user adds key to the server he can specify attributes to be set for this key. Note: attributes are supported starting with version 2 of the public-key subsystem protocol.

    User can also specify Mandatory property for each attribute when adding the key. Server has to support all attributes marked as Mandatory, otherwise key adding has to be rejected with "unsupported attribute" error.

    The following paragraph is taken from Secure Shell Public-Key Subsystem draft:

    «The following attributes are currently defined:

     "comment"

     The value of the comment attribute contains user-specified text about the public key. The server SHOULD make every effort to preserve this value and return it with the key during any subsequent list operation. The server MUST NOT attempt to interpret or act upon the content of the comment field in any way. The comment attribute must be specified in UTF-8 format [6]. The comment field is useful so the user can identify the key without resorting to comparing its fingerprint. This attribute SHOULD NOT be mandatory.

     "comment-language"

     If this attribute is specified, it MUST immediately follow a "comment" attribute and specify the language for that attribute [5]. The client MAY specify more than one comment if it additionally specifies a different language for each of those comments. The server SHOULD attempt to store each comment with its language attribute. This attribute SHOULD NOT be mandatory.

     "command-override"

     "command-override" specifies a command to be executed when this key is in use. The command should be executed by the server when it receives an "exec" or "shell" request from the client, in place of the command or shell which would otherwise have been executed as a result of that request. If the command string is empty, both "exec" and "shell" requests should be denied. If no "command-override" attribute is specified, all "exec" and "shell" requests should be permitted (as long as they satisfy other security or authorization checks the server may perform). This attribute SHOULD be mandatory.

     "subsystem"

     "subsystem" specifies a comma-separated list of subsystems that may be started (using a "subsystem" request) when this key is in use. This attribute SHOULD be mandatory. If the value is empty, no subsystems may be started. If the "subsystem" attribute is not specified, no restrictions are placed on which subsystems may be started when authenticated using this key.

     "x11"

     "x11" specifies that X11 forwarding may not be performed when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be mandatory.

     "shell"

     "shell" specifies that session channel "shell" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be mandatory.

     "exec"

     "exec" specifies that session channel "exec" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be mandatory.

     "agent"

     "agent" specifies that session channel "auth-agent-req" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be mandatory.

     "env"

     "env" specifies that session channel "env" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be mandatory.

     "from"

     "from" specifies a comma-separated list of hosts from which the key may be used. If a host not in this list attempts to use this key for authorization purposes, the authorization attempt MUST be denied. The server SHOULD make a log entry regarding this. The server MAY provide a method for administrators to disallow the appearance of a host in this list.

     "port-forward"

     "port-forward" specifies that no "direct-tcpip" requests should be accepted, except those to hosts specified in the comma-separated list supplied as a value to this attribute. If the value of this attribute is empty, all "direct-tcpip" requests should be refused when using this key. This attribute SHOULD be mandatory.

     "reverse-forward"

     "reverse-forward" specifies that no "tcpip-forward" requests should be accepted, except for the port numbers in the comma-separated list supplied as a value to this attribute. If the value of this attribute is empty, all "tcpip-forward" requests should be refused when using this key. This attribute SHOULD be mandatory. »

Properties

Methods

Declared in

.NET:
  • Namespace: SBSSHPubKeyCommon
  • Assembly: SecureBlackbox.SSHCommon
VCL:
  • Unit: SBSSHPubKeyCommon
Java:
  • Package: SecureBlackbox.SSHCommon.jar
C++:
  • sbsshpubkeycommon.h

Discuss this help topic in SecureBlackbox Forum