search for: ca_key

...char *buf, int len) +{ + int i = 0; + + while (**c && **c != ';' && i + 1 < len) + buf[i++] = *(*c)++; + if (**c == ';') + (*c)++; + buf[i] = 0; +} + +/* check whether certificate is valid and signature correct */ +int +cert_verify(const u_char *cert, const Key *ca_key, const Key *key, + const u_char *identity) +{ + u_char ca_fp[128], ca_name[128], ca_id[128], ca_opts[512]; + u_char ca_vf[16], ca_vt[16], ca_alg[64], ca_sig[1024]; + u_char sigbuf[1024], datbuf[2048], c, *fp; + unsigned long vf, vt, now = time(NULL); + u_int siglen, i; + + if (cert == NULL || ca...

...ilable at this stage. >From what I do understand the known_hosts format enables CA key and DNS mask of matched hosts. There is no way to match against the certificate principal name. I thought about something like: @cert-authority *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy <CA_KEY> If the above cannot be done, do you think it will be helpful? BTW: It would also be handy to allow specify CA key within separate file, something like the following: @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub Regards, Alon Bar-Lev.

Hello, I would like to know whether OpenSSH supports x509 certificate based authentication. It looks like OpenSSH has dependency on OpenSSL so does this mean that OpeSSH also supports x509 certificate based authentication. If it does support, can you please point me to the necessary documentation. Thanks Naitik

Hi! While reading through PROTOCOL.krl I came across "5. KRL signature sections". If my understanding is correct - and that's basically what I would like to get knocked down for if appropriate ;) - this is a way for SSHDs to ensure they only accept KRLs signed by a trusted CA. However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen? The aforementioned

Can anyone validate this? I am attempting to run the puppet cert/ca standlone commands. I am running form an unchanged master branch and if I run (simplified for the example): puppet cert generate host the resulting ca_key.pem is not encrypted. If I run : puppet ca generate host the resulting ca_key.pem is encrypted. In both cases the ca.pass file is created but the code path through cert does not pass through generate_ca_certificate. In both cases it is starting from a fresh set of puppet directories. I don'...

...ckup=>false, :mode=>"770", :loglevel=>:debug, :path=>"/var/lib/puppet/.puppet/ssl/ca/signed"}'' Aug 7 14:33:38 puppetmaster-02 puppet-master[27451]: Using settings: adding file resource ''cakey'': ''File[/var/lib/puppet/.puppet/ssl/ca/ca_key.pem]{:links=>:follow, :ensure=>:file, :backup=>false, :mode=>"660", :loglevel=>:debug, :path=>"/var/lib/puppet/.puppet/ssl/ca/ca_key.pem"}'' Aug 7 14:33:38 puppetmaster-02 puppet-master[27451]: Using settings: adding file resource ''cakey'&...

...ould connect successfully *except* the puppet server itself: the old error message was back. After some digging, I found in $ssldir the following files that were created around the time that the old puppet server was created: certs/ca.pem ca/private/ca.pass ca/ca_crt.pem ca/ca_pub.pem ca/ca_key.pem certs/ca.pem and ca/ca_crt.pem (which are identical files) both contain: Issuer: CN=puppet.domain.com Validity Not Before: Mar 25 15:51:31 2008 GMT Not After : Mar 24 15:51:31 2013 GMT Subject: CN=puppet.domain.com I imagine I could solve this problem by completely throwing...

...y isn''t responding (I wrap the puppetd call in cron with a short shell script) I''m managing these ca files on the masters, pushing them with puppet itself... $ grep file\ { certs.pp file { "/var/lib/puppet/ssl/ca/ca_crt.pem": file { "/var/lib/puppet/ssl/ca/ca_key.pem": file { "/var/lib/puppet/ssl/ca/private/ca.pass": file { "/var/lib/puppet/ssl/certs/ca.pem": file { "/var/lib/puppet/ssl/ca/ca_crl.pem": (ensures absent, we don''t need them in our environment.) Then, in order to generate the ssl certs f...

...[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: Finishing transaction -607501368 debug: Using cached certificate for ca debug: Using cached certificate for ca debug: Using cached certificate for puppetmaster.isp.belgacom.be notice: Starting Puppet master version 2.6.4 /usr/lib/ruby/site_rub...

...9;m trying the new feature "ssh-keygen(1) now supports signing certificate using a CA key that has been stored in a PKCS#11 token". According to the manpage, I should use "-D" option. And I had a problem with this option. root at ubuntu-desktop[/home/adam/temp7]#ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id id_rsa.pub dlopen libpkcs11.so failed: libpkcs11.so: cannot open shared object file: No such file or directory cannot read public key from pkcs11 I searched on my ubuntu server but found no libpkcs11.so. Also, I searched online, and didn't find too much help. Do...

...ng File[/etc/puppet/ssl/ca] debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/ca/private/ca.pass]: Autorequiring File[/etc/puppet/ssl/ca/private] debug: /File[/etc/puppet/ssl/ca/serial]: Autorequiring File[/etc/puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/etc/puppet/ssl/ca] debug: /File[/etc/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/etc/puppet/ssl/ca] debug: Finishing transaction 2168470120 with 0 changes bouti.carbonplanet.com err: Could not call sign: Invalid argument Any ideas anyone? Thank you Jesse -- Jess...

...signed autosign = /etc//opt/csw/puppet/autosign.conf cert_inventory = /etc//opt/csw/puppet/ssl/ca/inventory.txt cacert = /etc//opt/csw/puppet/ssl/ca/ca_crt.pem caprivatedir = /etc//opt/csw/puppet/ssl/ca/private capass = /etc//opt/csw/puppet/ssl/ca/private/ca.pass cakey = /etc//opt/csw/puppet/ssl/ca/ca_key.pem csrdir = /etc//opt/csw/puppet/ssl/ca/requests serial = /etc//opt/csw/puppet/ssl/ca/serial cacrl = /etc//opt/csw/puppet/ssl/ca/ca_crl.pem cadir = /etc//opt/csw/puppet/ssl/ca capub = /etc//opt/csw/puppet/ssl/ca/ca_pub.pem certdir = /etc//opt/csw/puppet/ssl/certs privatedir = /etc//opt/csw/puppet/...

...; Rename "constraints" field to "critical options" > > Add a new non-critical "extensions" field > > Add a serial number > > The older format is still supported for authentication and cert > generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 > certificate) so it seems like an opportune time to mention the deprecation rules that I plan to follow for the certificate support as it is developed. There are basically three goals: 1) Develop OpenSSH certificates until they solve enough of the use-cases...

Getting this error: err: Could not call list: header too long when running puppetca commands on master. There is not a disk space issue. On the puppet master server, /var filled up to 100% during the night. Now it''s fine, down to 25% used. I rebooted server too Any fixes? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To

.../var/lib/puppet/bucket ca = true ca_days = "" ca_md = md5 ca_name = Puppet CA: vusion-production ca_port = 8140 ca_server = puppet ca_ttl = 5y cacert = /var/lib/puppet/ssl/ca/ca_crt.pem cacrl = /var/lib/puppet/ssl/ca/ca_crl.pem cadir = /var/lib/puppet/ssl/ca cakey = /var/lib/puppet/ssl/ca/ca_key.pem capass = /var/lib/puppet/ssl/ca/private/ca.pass caprivatedir = /var/lib/puppet/ssl/ca/private capub = /var/lib/puppet/ssl/ca/ca_pub.pem catalog_format = "" catalog_terminus = compiler cert_inventory = /var/lib/puppet/ssl/ca/inventory.txt certdir = /var/lib/puppet/ssl/certs certdnsname...

...9;t differ from the generated defaults only in --genconfig = false, but here are they: [main] genconfig = false railslog = /var/puppet/log/rails.log dblocation = /var/puppet/state/clientconfigs.sqlite3 cert_inventory = /etc/puppet/ssl/ca/inventory.txt cakey = /etc/puppet/ssl/ca/ca_key.pem caprivatedir = /etc/puppet/ssl/ca/private capass = /etc/puppet/ssl/ca/private/ca.pass cadir = /etc/puppet/ssl/ca capub = /etc/puppet/ssl/ca/ca_pub.pem csrdir = /etc/puppet/ssl/ca/requests serial = /etc/puppet/ssl/ca/serial cacert = /etc/puppet/ssl/ca/ca_crt.pem c...

...rt.pem]/owner: Cannot manage ownership unless running as root warning: /Settings[/etc/puppet/puppet.conf]/Settings[ca]/File[/var/lib/ puppet/ssl/ca/ca_pub.pem]/owner: Cannot manage ownership unless running as root warning: /Settings[/etc/puppet/puppet.conf]/Settings[ca]/File[/var/lib/ puppet/ssl/ca/ca_key.pem]/owner: Cannot manage ownership unless running as root warning: /Settings[/etc/puppet/puppet.conf]/Settings[puppetmasterd]/ File[/var/lib/puppet/bucket]/owner: Cannot manage ownership unless running as root warning: /Settings[/etc/puppet/puppet.conf]/Settings[puppetmasterd]/ File[/var/log/puppe...

...ile[/var/lib/puppet/ssl/ca/signed]: Autorequiring File[/var/ lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring File[/ var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring File[/var/ lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/ var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/ var/lib/puppet/ssl/ca] debug: Finishing transaction -607319668 debug: Using cached certificate for ca debug: Using cached certificate for ca debug: Using cached certificate for te...

...: Autorequiring File[/var/lib/puppet/ssl] debug: /puppetconfig/ssl/File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /puppetconfig/ca/File[/var/lib/puppet/ssl/ca/serial]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /puppetconfig/ca/File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /puppetconfig/ca/File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring File[/var/lib/puppet/ssl/ca/private] debug: /puppetconfig/main/File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /puppetconfig/ssl/File[/var...

...rather than critical options to permit non-OpenSSH implementation of this key format to degrade gracefully when encountering keys with options they do not recognize. The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate). The older format, introduced in OpenSSH 5.4, will be supported for at least one year from this release, after which it will be deprecated and removed. BugFixes: * The PKCS#11 code now retries a lookup for a private key if there's no match...