-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest.conf
More file actions
136 lines (113 loc) · 5.54 KB
/
test.conf
File metadata and controls
136 lines (113 loc) · 5.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# The sections in this file work as recursive glob patterns and match files
# under the "keys" directory. The options of all matching sections are merged to
# allow for composition. Options in later matching sections replace options with
# the same name in earlier sections to allow for overrides.
#
# Please note that a "restrict" option is always added, defaulting all options
# to their most restrictive values. Due to the way port forwarding options work,
# the "port-forwarding" option is always added when any "open" or "listen"
# options are used. To then restrict the respective other option that would be
# allowed by "port-forwarding", a "permit[open|listen]" option is added
# automatically with the dummy "null:1" value, which hopefully doesn't match
# anything useful.
# The following section matches all keys in all directories and can be used to
# define default values for options. Note the use of the recursive ** which is
# required to match files in all subdirectories (including the root directory).
[**/*]
# The "command" option allows to provide a forced server side command. It maps
# to the "command" option in authorized_keys. Note that quotes are automatically
# escaped.
command=/bin/echo "nothing to see here"
# The following applies options to all files in all directories that match a
# certain suffix. In these examples, email addresses are used to identify the
# public key files, but this is not a requirement.
[**/*@example.org.pub]
# The "open" option allows local port forwards to open connections to certain
# ports on certain hosts. It maps to the "permitopen" option in authorized_keys.
# The syntax for these options is "[host[,host...]:]port[-port][,port...]" and
# all permutations of the host and port lists are rendered. The value can be
# multiline. A port spec without host applies implicitly to "localhost" only.
open=*
# The "listen" option allows remote port forwards to bind to certain ports on
# certain interfaces. It maps to the "permitlisten" option in authorized_keys.
# The syntax is the same as for "open" and allows multiple hosts and ports as
# comma separated lists as well as wildcards. A port spec without host applies
# to "localhost" only and does allow local connections on the remote machine
# only. Please note that the use of a host spec is subject to the server side
# GatewayPorts configuration.
listen=*
# With the "from" option the allowed connection source can be further
# restricted. It maps to the "from" option in authorized_keys with the same
# syntax.
from=*.example.org,1.2.0.0/16
# This section matches all files directly in the "admins" subdirectory.
[admins/*]
# A wildcard host and port spec in an "open" option allows to locally forward
# any port on any host.
open=*:*
# A wildcard host and port spec in a "listen" option allows to listen on any
# port on any interface. Note that this usage is further restricted by the
# server side GatewayPorts configuration.
listen=*:*
# An empty command clears the forced command that would otherwise be inherited
# from earlier sections.
command=
# The "pty" boolean option maps to the "[no-]pty" option in authorized_keys.
# Note that all boolean options only evaluate to true for a literal, case
# sensitive "yes".
pty=yes
# The "agent" boolean option maps to the "[no-]agent-forwarding" option in
# authorized_keys.
agent=no
# The "rc" boolean option maps to the "[no-]user-rc" option in authorized_keys.
rc=no
# The "x11" boolean option maps to the "[no-]X11-forwarding" option in
# authorized_keys.
x11=no
# The "environment" option maps to the authorized_keys option with the same name
# and syntax. It is a multiline option with each line producing a separate
# "environment" option in the rendered authorized_keys. Note that the use of
# environment variables depends on the server side PermitUserEnvironment
# configuration.
environment=
TEST_ABC=xyz
TEST_123="abc def"
# This example section applies different rules for any key directly under the
# "external" subdirectory.
[external/*]
# Multiple hosts and multiple ports and port ranges are supported. Please note
# that the port range is expanded to all individual ports and that list is then
# permutated with each host, possibly producing a lot of permitopen options in
# the final output. Be aware that there is a limit on the count of permission
# options per generated authorized_keys line in OpenSSH (at ~4096 in 8.2).
open=
client-host-1,client-host-2:22,5900-5905
client-vm:*
# Key expiry can be configured with the "expiry" option. It maps to the
# "expiry-time" option of authorized_keys and has the same syntax of
# "YYYYMMDD[HHMM[SS]]".
expiry=20220101123456
# The following are examples of unsupported usages due to various limitations in
# the authorized_keys and ssh-authmanager configuration syntax.
[user@example.org.pub]
# Wildcard hosts with ports are unsupported as hosts are not pattern matched in
# authorized_keys. A warning is emitted when this usage is detected.
open=*:22
# Invalid port specs produce a warning and are dropped.
listen=0,0-1,twentytwo,65535-65536,65536
# Multiple lines of "from" are unsupported as the authorized_keys syntax only
# allows for a single "from" option. Use a comma seperated list instead.
from=
127.0.0.1/8
users.example.org
# An invalid expiry syntax will cause an error to be output and the option is
# ignored, allowing the keys to be used indefinitely.
expiry=123
# Unknown keys produce a warning.
unknown=yes
# Matching files outside of the keys directory will fail with a warning.
[../hosts]
command=malicious
# Unmatched keys or patterns produce a warning.
[this-key-does-not-exist.pub]
open=*