The map file specifies which certificates authorize logging into which accounts. The format of the file is as follows:
<account-id> <keyword> <argument>
The keyword
can be either Email
,
Subject
, SerialAndIssuer
,
EmailRegex
, or SubjectRegex
. The
argument
depends on the keyword
.
Email
: The argument is the e-mail address which must
be present in the certificate.
Subject
: The argument is the required subject name in
LDAP DN (distinguished name) string format.
SerialAndIssuer
: The argument is the required serial
number and issuer name in LDAP DN string format, separated by spaces
or tabs.
EmailRegex
: The argument is the regular expression
which must match an e-mail address in the certificate. If
account-id
contains the string %subst%
,
it is substituted with the first parenthesized part of the regular expression.
The patterns are matched using the egrep syntax.
SubjectRegex
: The argument is the regular expression
which must match a subject name in the certificate. If
account-id
contains the string %subst%
,
it is substituted with the first parenthesized part of the regular expression.
The patterns are matched using the egrep syntax.
The following are examples of different map file definitions:
user1 email user1@ssh.com user1 subject C=FI,O=SSH,CN=Secure Shell User 1 user1 serialandissuer 1234 C=FI,O=SSH,CN=Secure Shell User 1 %subst% subjectregex C=FI, O=SSH, CN=([a-z]+) %subst% emailregex ([a-z]+)@ssh\.com
The last line permits logging with any e-mail address with only
letters in the user name. For more information on the regular expression
syntax, see sshregex
.