Discuss this help topic in SecureBlackbox Forum
TElSSHPublicKeyAttributes is responsible for storing the list of key attributes.
Description
Attributes are pairs of text name and text value.
Attributes are stores on server along with key and returned to the user by request.
When user adds key to the server he can specify attributes to be set for this key.
Note: attributes are supported starting with version 2 of the public-key
subsystem protocol.
User can also specify
Mandatory
property for each attribute when adding the key. Server has to support all attributes marked as Mandatory,
otherwise key adding has to be rejected with "unsupported attribute" error.
The following paragraph is taken from Secure Shell Public-Key Subsystem draft:
«The following attributes are currently defined:
"comment"
The value of the comment attribute contains user-specified text about
the public key. The server SHOULD make every effort to preserve this
value and return it with the key during any subsequent list
operation. The server MUST NOT attempt to interpret or act upon the
content of the comment field in any way. The comment attribute must
be specified in UTF-8 format [6].
The comment field is useful so the user can identify the key without
resorting to comparing its fingerprint. This attribute SHOULD NOT be
mandatory.
"comment-language"
If this attribute is specified, it MUST immediately follow a
"comment" attribute and specify the language for that attribute [5].
The client MAY specify more than one comment if it additionally
specifies a different language for each of those comments. The
server SHOULD attempt to store each comment with its language
attribute. This attribute SHOULD NOT be mandatory.
"command-override"
"command-override" specifies a command to be executed when this key
is in use. The command should be executed by the server when it
receives an "exec" or "shell" request from the client, in place of
the command or shell which would otherwise have been executed as a
result of that request. If the command string is empty, both "exec"
and "shell" requests should be denied. If no "command-override"
attribute is specified, all "exec" and "shell" requests should be
permitted (as long as they satisfy other security or authorization
checks the server may perform). This attribute SHOULD be mandatory.
"subsystem"
"subsystem" specifies a comma-separated list of subsystems that may
be started (using a "subsystem" request) when this key is in use.
This attribute SHOULD be mandatory. If the value is empty, no
subsystems may be started. If the "subsystem" attribute is not
specified, no restrictions are placed on which subsystems may be
started when authenticated using this key.
"x11"
"x11" specifies that X11 forwarding may not be performed when this
key is in use. The attribute-value field SHOULD be empty for this
attribute. This attribute SHOULD be mandatory.
"shell"
"shell" specifies that session channel "shell" requests should be
denied when this key is in use. The attribute-value field SHOULD be
empty for this attribute. This attribute SHOULD be mandatory.
"exec"
"exec" specifies that session channel "exec" requests should be
denied when this key is in use. The attribute-value field SHOULD be
empty for this attribute. This attribute SHOULD be mandatory.
"agent"
"agent" specifies that session channel "auth-agent-req" requests
should be denied when this key is in use. The attribute-value field
SHOULD be empty for this attribute. This attribute SHOULD be
mandatory.
"env"
"env" specifies that session channel "env" requests should be denied
when this key is in use. The attribute-value field SHOULD be empty
for this attribute. This attribute SHOULD be mandatory.
"from"
"from" specifies a comma-separated list of hosts from which the key
may be used. If a host not in this list attempts to use this key for
authorization purposes, the authorization attempt MUST be denied.
The server SHOULD make a log entry regarding this. The server MAY
provide a method for administrators to disallow the appearance of a
host in this list.
"port-forward"
"port-forward" specifies that no "direct-tcpip" requests should be
accepted, except those to hosts specified in the comma-separated list
supplied as a value to this attribute. If the value of this
attribute is empty, all "direct-tcpip" requests should be refused
when using this key. This attribute SHOULD be mandatory.
"reverse-forward"
"reverse-forward" specifies that no "tcpip-forward" requests should
be accepted, except for the port numbers in the comma-separated list
supplied as a value to this attribute. If the value of this
attribute is empty, all "tcpip-forward" requests should be refused
when using this key. This attribute SHOULD be mandatory.
»
.NET: