search for: barlev

http://bugzilla.mindrot.org/show_bug.cgi?id=1371 Summary: Add PKCS#11 (Smartcards) support into OpenSSH Product: Portable OpenSSH Version: 4.7p1 Platform: All URL: http://alon.barlev.googlepages.com/openssh-pkcs11 OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Smartcard AssignedTo: bitbucket at mindrot.org ReportedBy: alon.barlev at gmail.com Hello, PKCS#11 is a standard API interface...

...wner Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: alon.barlev at gmail.com Created attachment 2474 --> https://bugzilla.mindrot.org/attachment.cgi?id=2474&action=edit AuthorizedKeysCommand-add-an-option-for-alternate-ow.patch Currently the owner of AuthorizedKeysCommand must be root. A setup in which sshd is running as non root, can enjoy a comple...

...ssing return and trying then other authentication method, like password. But currently that is not what happens, and users can find out too late that they have instead tried a wrong pin too many times and locked their token... Regards, Nuno On Fri, Jun 17, 2016 at 10:04 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote: > On 17 June 2016 at 22:45, Nuno Gon?alves <nunojpg at gmail.com> wrote: >> On Fri, Jun 17, 2016 at 7:57 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote: >>> On 17 June 2016 at 20:58, Nuno Gon?alves <nunojpg at gmail.com> wrote: >>...

...tion Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: alon.barlev at gmail.com Created attachment 2475 --> https://bugzilla.mindrot.org/attachment.cgi?id=2475&action=edit config-add-option-to-customize-moduli-file-location.patch Currently all files can be customized via sshd_config, however, the moduli file cannot. Running sshd in unprivileged context...

On Fri, Jun 17, 2016 at 7:57 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote: > On 17 June 2016 at 20:58, Nuno Gon?alves <nunojpg at gmail.com> wrote: >> Hi, >> >> It seems there is a bug with the pkcs11 feature where a zero-length >> PIN is accepted. I believe this is a bug, since the user might want to >> press...

Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com> --- ssh-agent.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssh-agent.c b/ssh-agent.c index 9e2a37f..415a5ea 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -68,7 +68,9 @@ #include <time.h> #include <string.h> #include <unistd.h> +#ifdef HAVE_UTIL_H #...

...t to ask the caller to provide information, for example "Insert token <xxx>" or "Please enter passphrase for token <xxx>". Current implementation does not modify the agent protocol but execute dialog from within the agent. Best Regards, Alon Bar-Lev [1] http://alon.barlev.googlepages.com/openssh-pkcs11

Hi, Working with apache-sshd I found that it forces ~/.ssh/config to be owned by user without group/others permissions. It failed for me within my valid openssh environment. Within sources (readconf.c::read_config_file), I found that openssh only enforces ownership by user and not group/others write. When I opened an issue, I was referred to this[1] wiki page (not sure who maintain it) claiming

https://bugzilla.mindrot.org/show_bug.cgi?id=2081 Bug ID: 2081 Summary: extend the parameters to the AuthorizedKeysCommand Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd

Hello, Is there any support (existing or planned) for host keys/certs being managed by some hardware device (tpm,hsm,etc..) instead of a flat file? thanks, -Kenny

On 13 December 2016 at 21:00, Kenny Simpson <theonetruekenny at gmail.com> wrote: > Hello, > Is there any support (existing or planned) for host keys/certs being > managed by some hardware device (tpm,hsm,etc..) instead of a flat > file? man ssh search for PKCS#11

Hi All, The version of "PKCS#11 support in OpenSSH" is ready for download. On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you can find a patch for OpenSSH 4.4p1. What's new: - Some pkcs11-helper updates. - Rebase against 4.4p1. I will be grateful to receive any comments regarding this feature. Best Regards, Alon Bar-Lev.

Hi All, The version of "PKCS#11 support in OpenSSH" is ready for download. On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you can find a patch for OpenSSH 4.5p1. Most of PKCS#11 code is now moved to a standalone library which I call pkcs11-helper, this library is used by all projects that I added PKCS#11 support into. The library can be downloaded from: http://www.opensc-project.org/...

...t to ask the caller to provide information, for example "Insert token <xxx>" or "Please enter passphrase for token <xxx>". Current implementation does not modify the agent protocol but execute dialog from within the agent. Best Regards, Alon Bar-Lev [1] http://alon.barlev.googlepages.com/openssh-pkcs11

Hi, I have a setup in which I run sshd as unprivileged user at dedicated port to serve specific application. It is working perfectly! One tweak I had to do, since the AuthorizedKeysCommand feature requires file to be owned by root, I had to use root owned command at root owned directory, although it does not add a security value. At auth2-pubkey.c::user_key_command_allowed2(), we have the

Hi, It seems there is a bug with the pkcs11 feature where a zero-length PIN is accepted. I believe this is a bug, since the user might want to press return when asked for the PIN to ignore that slot/key. This is caused at pkcs11_rsa_private_encrypt: snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", si->token.label); pin = read_passphrase(prompt, RP_ALLOW_EOF); if

Hello, I've looked for a BIDI HOW-TO, but did not find any. I use wine-0.9.5, and run IE using ies4linux. It works great including Hebrew showing Hebrew text correctly. The problem is that I could not write any Hebrew character... Whenever I type a character I get "?". So I've looked at wine-bidi issues, and found that I need to compile wine with icu library. I did! using

...mpt support. 3. Workaround for iKey PKCS#11 provider bug. 4. Some minor cleanups. 5. Allow clean merge of Roumen Petrov's X.509 patch (version 5.3) after this one. [[[ The patch-set is too large for posting in the list... If you are interested in review it, please send me an email (mailto:alon.barlev at gmail.com) ]]] I will appreciate any comments/suggestions. Enjoy, Alon Bar-Lev. --- Instructions: The PKCS#11 patch modify ssh-add and ssh-agent to support PKCS#11 private keys and certificates. It allows using multiple PKCS#11 providers at the same time, selecting keys by id, label or cer...

Are there any plans on the table to add native support for two-factor authentication, such as password *and* public key? Visa PCI standards require two-factor authentication for remote access and if password+key was available in openssh it would be much easier to maintain and support than a full-blown vpn with all the cross-platform compatibility issues that come with one. Thanks! Jacob

...quot; \ -keyout /dev/null | openssl x509 -pubkey -noout | \ ssh-keygen -i -m SUBJECTINFO -f /proc/self/fd/0 ## convert SSH public key to SubjectPublicKeyInfo public key $ ssh-keygen -e -m SUBJECTINFO -f ~/.ssh/id_rsa.pub | \ openssl rsa -pubin -text Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com> --- ssh-keygen.1 | 6 +++- ssh-keygen.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 41da207..88451ac 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -334,9 +...