search for: authc

...also thinking about how to raise the security bar of SSH keys. Would it be feasible to implement a SSH key agent which automagically generates a new key pair (e.g. when triggered by ssh-add or cert is expired) and sends the public key to a SSH signing service (authenticating the user with stronger authc mechs like 2FA) which returns the short-term SSH public-key cert? This would also make it possible to automatically add the "from=" key options because the SSH client's IP address is known. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed......

...key_match: Host key found from database. debug: Ssh2Common/sshcommon.c:297/ssh_common_special: Received SSH_CROSS_STARTUP packet from connection protocol. debug: Ssh2Common/sshcommon.c:347/ssh_common_special: Received SSH_CROSS_ALGORITHMS packet from connection protocol. debug: Ssh2AuthPubKeyClient/authc-pubkey.c:777/ssh_client_auth_pubkey_agent_list_co mplete: adding keyfile "/export/hom Forced command: /usr/libexec/openssh/sftp-server debug: Ssh2AuthPubKeyClient/authc-pubkey.c:330/ssh_client_auth_pubkey_send_signatur e: Constructing and sending signatu debug: Ssh2AuthPubKeyClient/authc-pubke...

...p to the system. And AFAICS in case of TACACS+ there's also only a single "role" available (translate this to single group). So the usual answer is: Use LDAP. > We wanted to enable RADIUS/TACACS Authentication using PAM and enabling PAM > in sshd. You could implement password authc for sshd (to be on-topic here) via pam_radius and let LDAP serve the NSS part. Not sure whether it's worth the effort though. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S...

On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote: > On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > > I guess a case could be made for ssh-add to always set a timeout when > > adding a certificate with an expiry time, but I think for now I'm > > happy enough to do that on our end. > > That sounds like a fine idea. Damien, to clarify did

On Wed, 2018-01-03 at 13:50 +0530, Sudarshan Soma wrote: > HI, I do see some refernce on it: but seems not closed > https://marc.info/?l=secure-shell&m=115513863409952&w=2 > > http://bugzilla.mindrot.org/show_bug.cgi?id=1215 > > > Is this patch available in latest versions, 7.6? No. It never was. The SSSD is using NSS (Name Service Switch) [1] way of getting

...ebug and recompile. debug: connecting to bennevis... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: ssh_client_wrap: creating userauth protocol debug: Remote version: SSH-1.99-OpenSSH_2.3.0p1 debug: Host key found from the database. debug: Ssh2AuthPubKeyClient/authc-pubkey.c:368/ssh_client_auth_pubkey_send_signature: ssh_client_auth_pubkey_send_signature debug: Ssh2/ssh2.c:304/client_authenticated: client_authenticated debug: Requesting X11 forwarding with authentication spoofing. Last login: Wed Dec 6 12:31:59 2000 from tomintoul.sychron.com Environment: U...