search for: 509

Hi Roumen, I discovered that the need of appending the .pub part of id_rsa(client key+cert) on the server can be eliminated by adding the Certificate Blob to authorized_keys which could look something like this: x509v3-sign-rsa subject= /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com This is extracted from the client certificate using openssl as described in the README file provided by you at http://roumenpetrov.info/openssh/x509h/README.x509v3 This system works fine...

I understand that recent versions of OpenSSH have support for X.509 certificates, in the sense that OpenSSH clients can extract the relevant information from such certificates and use it in order to carry out the usual public key-based authentication. Having a quick look into the SSH RFCs, it would seem that this is the only way in which OpenSSH supports X.509-bas...

I suggest deprecating proprietary SSH certificates and move to X.509 certificates. The reasons why I suggest this change are: X.509 certificates are the standard on the web, SSH certificates provide no way to revoke compromised certificates, and SSH certificates haven't seen significant adoption, It's also a bad idea to roll your own crypto, and own certific...

Hi All, The version 5.5.1 of "X.509 certificates support in OpenSSH" is ready for download. On download page http://roumenpetrov.info.localhost/openssh/download.html#get_-5.5.1 you can found diff for OpenSSH versions 4.4p1. What's new: * specific diff of 5.5 for OpenSSH 4.4p1 Because of OpenSSH source code changes, like...

Hello, The version 0.11 of "PKCS#11 support in OpenSSH" is published. Changes: 1. Updated against OpenSSH 4.3p2. 2. Modified against Roumen Petrov's X.509 patch (version 5.4), so self-signed certificates are treated by the X.509 patch now. 3. Added --pkcs11-x509-force-ssh if X.509 patch applied, until some issues with the X.509 patch are resolved. 4. Fixed issues with gcc-2. You can grab the new version from http://alon.barlev.googlepages.com/openss...

...897302, 3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send) auth_check_password_send: Checking password for unmapped user []\[administrator]@[TEST] auth_check_password_send: mapped user is: [SAMDOM]\[administrator]@[TEST] [2018/03/26 16:32:38.901252, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2018/03/26 16:32:38.901492, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088215 [2018/03/26 16:32:38.901669, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal -...

Hello OpenSSH developers, A week ago I've posted a patch that enables openssh to work with PKCS#11 tokens. I didn't receive any comments regarding the patch or reply to my questions. In current software world, providing a security product that does not support standard interface for external cryptographic hardware makes the product obsolete. Please comment my patch, so I can know

Can you implement revocation support? On Fri, May 25, 2018 at 6:55 AM, Damien Miller <djm at mindrot.org> wrote: > No way, sorry. > > The OpenSSH certificate format was significantly motivated by X.509's > syntactic and semantic complexity, and the consequent attack surface in > the sensitive pre-authentication paths of our code. We're very happy to > be able to offer certificate functionality while avoiding the numerous > vulnerabilities that X.509/ASN.1 parsing would have br...

http://bugzilla.mindrot.org/show_bug.cgi?id=78 Summary: Support use of named (krb4, krb5, gsi, x.509) keys in auth_keys entries Product: Portable OpenSSH Version: 3.0.2p1 Platform: All URL: http://marc.theaimsgroup.com/?l=openssh-unix- dev&m=101189381805982&w=2 OS/Version: All Status:...

Hi All, The version 5.4 of "X.509 certificates support in OpenSSH" is ready for download. On download page http://roumenpetrov.info.localhost/openssh/download.html#get_-5.4 you can found diffs for OpenSSH versions 4.2p1 and 4.3p2. What's new: * given up support for "x509v3-sign-rsa-sha1" and "x509v3-sign-d...

Hi, I need to add X.509 Certificate support to OpenSSH. I came across the following post on the openssh-unix-dev mailing list that is very useful: http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2 <http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2> And also, http://marc.info/?l=...

Hello All, As I promised, I've completed and initial patch for openssh PKCS#11 support. The same framework is used also by openvpn. I want to help everyone who assisted during development. This patch is based on the X.509 patch from http://roumenpetrov.info/openssh/ written by Rumen Petrov, supporting PKCS#11 without X.509 looks like a bad idea. *So the first question is: What is the merge status of Ruman's patch?* The PKCS#11 patch modify ssh-add and ssh-agent to support PKCS#11 private keys and certifica...

I'm working with Dovecot 2.3 and I'm wondering if I could send the full X.509 client certificate to my custom authentication policy server. I'm actually aware that I can send the client certificate validity status with something like: auth_policy_request_attributes = ... cert=%{cert} But I want the full X.509 certificate to be able to decide over the basis of certific...

Hi, I have some observations regarding the X.509 patch developed by Roumen Petrov for OpenSSH available at http://roumenpetrov.info/openssh/ , I don't understand some things here like 1. When certificate based authentication of the client is desired, shouldn't it be something like what mod_ssl does in Apache where u have a CA cert...

Hi All, Version 7.0 of "X.509 certificates support in OpenSSH" is ready for immediate download. This version allow client to use certificates and keys stored into external devices. The implementation is based on openssl dynamic engines. For instance E_NSS engine ( http://developer.berlios.de/projects/enss ) will allow...

https://bugzilla.mindrot.org/show_bug.cgi?id=1498 Summary: OpenSC smartcard access should use raw public keys, not X.509 certificates Classification: Unclassified Product: Portable OpenSSH Version: 5.1p1 Platform: Other OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: Smartcard...

http://bugzilla.mindrot.org/show_bug.cgi?id=1373 Summary: native support for X.509 v3 certificates Product: Portable OpenSSH Version: 4.7p1 Platform: Other OS/Version: Other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: mind...

...urce4/auth/ntlm/auth.c:271(auth_check_password_send) > auth_check_password_send: Checking password for unmapped user []\[administrator]@[TEST] > auth_check_password_send: mapped user is: [SAMDOM]\[administrator]@[TEST] > [2018/03/26 16:32:38.901252, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2018/03/26 16:32:38.901492, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0xe2088215 > [2018/03/26 16:32:38.901669, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)...

Hi all, look at these lines. I created a queue named info when a caller (extension 86) place a call he is put on queue he sould hear MOH . What's the meaning of : Jan 29 14:35:30 WARNING[2591]: file.c:509 ast_openstream_full: File 100 does not exist in any format Jan 29 14:35:30 WARNING[2591]: file.c:821 ast_streamfile: Unable to open 100 (format ulaw): No such file or directory Regards Harry Jan 29 14:34:43 WARNING[2568]: pbx.c:2403 __ast_pbx_run: Timeout, but no rule 't' in context '...

...(nv-b91). The relevant configuration lines are: passdb ldap { # LDAP database (doc/wiki/AuthDatabase.LDAP.txt.) args = /pfx/etc/dovecot/dovecot-ldap.conf } The file dovecot-ldap.conf is correct and LDAP authentication is working well. We would like to make it possible for users with a X.509 client certificate to log in without providing LDAP or any other credentials. Is there something like: passdb x509 { args = /pfx/etc/dovecot/dovecot-caroots.pem nopwd = yes } ...avaibable, or is there another solution? Thanks, Brian