search for: agent_fd

...ed on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd, !deleting, pkcs11provider) == -1) ret = 1; goto done; } does not check for additional (certifcate)-files files on the command line and update_card neither does. Is there any intention to change this? Thanks in alot, Manon

...meters of all identities currently represented by the agent. diff -u -r -p openssh-6.9p1/ssh-add.c openssh.cert_shadow/ssh-add.c --- openssh-6.9p1/ssh-add.c 2015-07-01 04:35:31.000000000 +0200 +++ openssh.cert_shadow/ssh-add.c 2015-07-26 15:58:06.513151180 +0200 @@ -180,6 +180,49 @@ delete_all(int agent_fd) } static int +add_certificate_only(int agent_fd, const char *filename) +{ + struct sshkey *cert = NULL; + char *comment = NULL; + int r, ret = -1; + + /* Load certificate */ + if ((r = sshkey_load_public(filename, &cert, &comment)) != 0) { + if (r != SSH_ERR_SYSTEM_ERROR || errno != E...

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...#define SSH_AGENT_CONSTRAIN_LIFETIME 1 #define SSH_AGENT_CONSTRAIN_CONFIRM 2 #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 diff --git a/ssh-add.c b/ssh-add.c index f3b666c93..e988023a7 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -111,6 +111,29 @@ clear_pass(void) } } +static int +add_engine_key(int agent_fd, const char *file, const char *engine) +{ + int ret; + char *pin = NULL; + + ret = ssh_add_engine_key(agent_fd, file, engine, NULL, lifetime, confirm, maxsign); + if (ret == SSH_ERR_KEY_WRONG_PASSPHRASE) { + pin = read_passphrase("Enter engine key passphrase:", RP_ALLOW_STDIN); + if (!p...

Hello, With the introduction of SSH_ASKPASS_REQUIRE in version 8.4, I've set up a script for SSH_ASKPASS to query my local passwordstore (https://www.passwordstore.org/) vault to retrieve the password for a given key. This works for ssh-add as well as ssh (configured with AddKeysToAgent set to 'yes'). My workflow effectively transforms into entering the password for the GPG key used

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

...hconnect2.c index 8138e46..3f475d9 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -246,6 +246,7 @@ typedef struct cauthmethod Authmethod; typedef struct identity Identity; typedef struct idlist Idlist; +#define IDENTITY_SUCCESSFUL 0x1000 struct identity { TAILQ_ENTRY(identity) next; int agent_fd; /* >=0 if agent supports key */ @@ -268,6 +269,7 @@ struct cauthctxt { int attempt; /* pubkey */ struct idlist keys; + struct identity *sent_signed_id; int agent_fd; /* hostbased */ Sensitive *sensitive; @@ -562,6 +564,11 @@ input_userauth_failure(int type, u_int32_t seq, struct ss...

We are attempting to use openssh sftp to connect to a server that is running some version of the Axway SFTP server. After a publickey auth completes, the server resends publickey as a valid auth. This results in a loop as openssh sftp resubmits the publickey information. This seems similar to a discussion in 2014 that terminated with the thought that it might be nice if the client tracked

..."public key", id->filename); > + sshkey_free(private); > + private = NULL; > + quit = 1; > + } > if (!quit && private != NULL && id->agent_fd == -1 && > !(id->key && id->isprivate)) > maybe_add_key_to_agent(id->filename, private, comment, > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org &g...

Hello, I have a client machine and a server machine. I generated a pair of private-public rsa keys using ssh-keygen. On the client-machine, I uploaded my private key onto ~/.ssh/id_rsa On the server machine, I appended the content of the public key to .ssh/authorized_keys I can successfully connect from the client to the server with that config. However, on the client-side, if I add a

...sizeof(*id)); + id->key = key; + id->filename = xstrdup(options.certificate_files[i]); + id->userprovided = options.certificate_file_userprovided[i]; + TAILQ_INSERT_TAIL(preferred, id, next); + } /* list of keys supported by the agent */ if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { if (r != SSH_ERR_AGENT_NOT_PRESENT) -- 1.9.1

In sshconnect.c there are two global variables for server_version_string client_version_string. These are used just in a few functions and can easily be passed as parameters. Also, there is a strange construct, where their memory is allocated to the global pointers, then copies of these pointers are assigned to the kex structure. The kex_free finally frees them via cleanup of the kex