search for: certificatefil

...ues and without any prompting. I am confused here and I don't understand why I have to use only the id-rsa as opposed to any name that I am pointing using the file path. Failed scenarios: 1. I tried giving the options using -o i.e (ssh -o 'IdentityFile /root/.ssh/id_rsa' -o 'CertificateFile /root/.ssh/signed-cert.pub' root at test.domain.com). ? command-line: line 0: Bad configuration option: certificatefile 2. Tried by changing the ~/.ssh/config or /etc/ssh/ssh_config ? same problem, it says Bad configuration option: certificatefile 3. Tried rena...

https://bugzilla.mindrot.org/show_bug.cgi?id=2617 Bug ID: 2617 Summary: sign_and_send_pubkey: no separate private key for certificate Product: Portable OpenSSH Version: 7.3p1 Hardware: 68k OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: ssh

...tforward to implement this manually. As far as I an tell, ssh and ssh_config don't have a great way to handle this usage model. Various kludges and solutions that sort of work include: User runs a command to get the certificate, and the command puts the certificate somewhere that matches the CertificateFile. If the user forgets to run the command, they fail to authenticate and have to do it manually. ssh_config contains a Match ... exec [command to refresh the certificate]. This sort of works, except that it runs the command far too frequently. For example, ssh -O exit [name] refreshes the certif...

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

...users to specify certificates to be used for authentication on the command line with the '-z' argument when running ssh. For successful authentication, the key pair associated with the certificate must also be presented during the ssh. Certificates may also be specified in ssh_config as a CertificateFile. This option is meant the address the issue mentioned in the following exchange: http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-September/031629.html Patch developed against 6.9p. --- readconf.c | 48 +++++++++++++++++++ readconf.h | 6 +++ regress/Makefile |...

...understood most refresh arrangements to involve > OAuth2. The actual setup I'm using is: Host myhost Match host myhost exec "cloudflared access ssh-gen --hostname myhost.domain" ProxyCommand cloudflared access ssh --hostname myhost.domain IdentityFile ~/.cloudflared/blahblah CertificateFile ~/.cloudflared/blahblah.pub cloudflared is this thing (open source!): https://github.com/cloudflare/cloudflared There are two pieces of magic here. One is the "couldflared access ssh-gen" command. It's annoyingly slow (which could be fixed, presumably), and it refreshes the cert...

...for users to handle presenting specific certificates during ssh. With this patch, users may specify one or more certificates to be used for authentication on the command line with the '-z' argument when running ssh. A user may also include a specific certificate in the ssh_config file as a CertificateFile. For successful authentication, the key pair associated with the certificate must also be presented during the ssh. This key pair may be loaded in a currently-running ssh agent, for example, or provided as an identity file on the command line. Since the specified certificates can be used in combi...

On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote: > On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: > [...] > > ssh_config contains a Match ... exec [command to refresh the certificate]. > > This sort of works, except that it runs the command far too frequently. > > For example, ssh -O exit [name] refreshes the certificate, and it

...rguments to KnownHostsCommand accept the tokens described in the ?TOKENS? section. > Arguments to some keywords can be expanded at runtime from environment variables on the client by enclosing them in ${}, for example ${HOME}/.ssh would refer to the user's .ssh directory. [...] The keywords CertificateFile, ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand, and UserKnownHostsFile support environment variables. In the implementation[1] the first argument (script or binary to be invoked) is excluded from being parsed. While the documentation quoted above can be interpreted such that this is...

...d25519 and ~/.ssh/id_rsa. Identity files may also be specified on a per-host basis in the con? figuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). If no certificates have been explicitly specified by the CertificateFile directive, ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames. but it seems it does something else holst at hholst-lt:~$ unshare -r root at hholst-lt:~# echo "~ expands to" ~ "and \$HOME is" $...

Hello, I decided to embrace getting a new Rails application to see an existing MSSQL database and trying to get unixODBC, freeTDS, and ActiveRecord able to query my MSSQL database. I''m following the procedure outlined at http://wiki.rubyonrails.org/rails/pages/HowtoConnectToMicrosoftSQLServerFromRailsOnLinux but my system (Ubuntu 8.10 - Intrepid Ibex, Rails 2.3, Ruby 1.8.7)

...permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. * ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436 * ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats. * ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -" * ssh-keygen(1): allow fingerprinting multiple public...

...ignatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly...

https://bugzilla.mindrot.org/show_bug.cgi?id=2642 Bug ID: 2642 Summary: [sshconnect2] publickey authentication only properly works if used first: pubkey_prepare doesn't work after pubkey_cleanup Product: Portable OpenSSH Version: 7.3p1 Hardware: amd64 OS: Linux Status:

...ignatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. * ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. bz#3140 * ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly...

...permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. * ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436 * ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats. * ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -" * ssh-keygen(1): allow fingerprinting multiple public...

...vXxu7vRrjNk debug2: pkcs11_fetch_certs: key already included debug1: pkcs11_k11_free: parent 0x55878deea160 ptr 0x55878dee8cc0 idx 1 debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0" refcount 3 ``` ``` A workaround would be to somehow support the `-O CertificateFile` option in `ssh-keygen` like `ssh` does. A more robust way to solve this would of course be to support loading certificate files into the ssh-agent. -- You are receiving this mail because: You are watching the assignee of the bug.

...permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. * ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436 * ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats. * ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -" * ssh-keygen(1): allow fingerprinting multiple public...