search for: certkey

https://bugzilla.mindrot.org/show_bug.cgi?id=2389 Bug ID: 2389 Summary: update the PROTOCOL.certkeys spec to avoid confusion regarding encoding of critical options fields Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component...

...e, allowing the authenticity of the options to be verified readily. However, I have not been able to find too much for specifying behaviors, etc. server-side in relation to custom certificate extensions in the documentation. Is there any extant documentation that goes into more depth than PROTOCOL.certkeys that anyone would be able to point me towards before I start digging into source? My digging for documentation has not been very fruitful as of yet. Thank you very much to anyone that is able to shine some light on this topic or outright tell me that I am wrong for contemplating it and why. --...

...regarding the binary format of the certificates generated with ssh-keygen, in particular when the critical options of source-address or force-command are present and the correspondence to the certificate format specifications such as http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD . It appears that the string values of the source-address and force-command are prepended with *two* length offsets - 4-byte offset with the integer value of len(string)+4 followed by the 4-byte offset with the proper length, and then the string. Is it a correct behavior? I could not f...

...ENCE $(DESTDIR)$(sshdocdir)/LICENCE - $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW - $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux - $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README - $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns - $(INSTALL) -m 644 $(srcdir)/README...

This patch against OpenBSD -current adds a simple form of PKI to OpenSSH. We'll be using it at work. See README.certkey (the first chunk of the patch) for details. Everything below is BSD licensed, sponsored by Allamanda Networks AG. Daniel --- /dev/null Wed Nov 15 15:14:20 2006 +++ README.certkey Wed Nov 15 15:13:45 2006 @@ -0,0 +1,176 @@ +OpenSSH Certkey + +INTRODUCTION + +Certkey allows OpenSSH to transmit ce...

...of the > options to be verified readily. However, I have not been able to find > too much for specifying behaviors, etc. server-side in relation to > custom certificate extensions in the documentation. > > Is there any extant documentation that goes into more depth than > PROTOCOL.certkeys that anyone would be able to point me towards before > I start digging into source? My digging for documentation has not been > very fruitful as of yet. There's not really any more documentation beyond the PROTOCOL.certkeys file. Extensions are simply name=value pairs and unrecognised e...

Besides ssh.com?s PrivX product, has anyone created a web service that can be used to issue temporary certkeys to authenticated users? Any pointers appreciated! jd -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2393 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20171...

...host. OpenSSH checks whether the hostname is a principal, whereas the Go library is instead checking whether "host:port" is a principal. Uri (earlier in this thread) does answer this question clearly (that the principal should be the hostname only), and, now that I've found PROTOCOL.certkeys, this seems to be spelt out unambiguously there too: "valid principals" is a string containing zero or more principals as strings packed inside it. These principals list the names for which this certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and usernames for SSH_CE...

...rity" whereas in sshd(8) the tag is documented as "from=cert-authority." Since the former seems to work, I assume the latter is a typo. While on the subject of typos (which I have been known to make more than my fair share of) I noticed the phrase 'similar same" in PROTOCOL.certkey (line 51) which should simply be "similar." -- Iain Morgan

On Sun, Dec 24, 2017 at 9:54 PM, David Newall <openssh at davidnewall.com> wrote: > On 25/12/17 00:11, John Devitofranceschi wrote: >> >> Besides ssh.com?s PrivX product, has anyone created a web service that can >> be used to issue temporary certkeys to authenticated users? >> >> Any pointers appreciated! > > > I expect that what I'm about to say is exactly what you're not interested in > hearing, but I think it's something that should be said nonetheless. > > The benefit of a central authority issuing...

> Uri (earlier in this thread) does answer this question clearly (that > the principal should be the hostname only), and, now that I've found > PROTOCOL.certkeys, this seems to be spelt out unambiguously there too: In turn this means: One cannot expect several SSH services on a single host to be securely distinguishable from each other by their particular service key. So if one of the SSH services gets compromised all SSH services on t...

...Version: -current Hardware: amd64 OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: mariano.cano at gmail.com According to PROTOCOL.certkeys critical options must be lexically ordered by name: ``` Options must be lexically ordered by "name" if they appear in the sequence. Each named option may only appear once in a certificate. ``` This works for the well-known options 'source-address' and 'force-command' bu...

Hi, I am a new Ubuntu user and I am trying to get rid of Windows from all my computers forever! The only hurdle is my medical billing software Kareo. When I tried to run the exe file it states that it is extracting an MSI file and then shut out. I tried extracting the msi files running w/ the wine msi switch but it states that the msi file cannot run w/o the setup file. The program can be freely

...0 box-deny-ip = "*.*.*.*" box-allow-ip = "127.0.0.1" #unified-prefix = "+358,00358,0;+,00" #access-log = "/tmp/access.log" #store-file = "/tmp/kannel.store" #ssl-server-cert-file = "cert.pem" #ssl-server-key-file = "key.pem" #ssl-certkey-file = "mycertandprivkeyfile.pem" # SMSC CONNECTIONS group = smsc smsc = at modemtype = auto device=/dev/ttyS0 my-number = 123123123123 connect-allow-ip = 127.0.0.1 log-level = 0 # SMSBOX SETUP group = smsbox bearerbox-host = localhost sendsms-port = 13013 global-sender = 13013 #send...

...@@ -42,11 +42,13 @@ install-sshdoc: $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.agent $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns $(INSTALL) -m 644 $(srcdir)/README....

Hi, I just committed this: > - djm at cvs.openbsd.org 2010/04/16 01:47:26 > [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] > [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] > [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] > [sshconnect.c sshconnect2.c sshd.c] > revised certificate format ssh-{dss,rsa}-cert-v01 at openssh.com wi...

HI! I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and description for CLI arg -O in ssh-keygen(1). It seems to me that there could be a 1:1 mapping between SSH cert extensions and authz key options by just adding prefix "permit-" to the key option. But the man pages differ regarding case of "permit-x11-forwarding" and "X11-forwarding". [1] also

...t-X11-forwarding','permit-pty'], key=str.lower) ['permit-port-forwarding', 'permit-pty', 'permit-X11-forwarding'] Ciao, Michael. [1] https://man.openbsd.org/ssh-keygen.1#permit-x11-forwarding [2] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180124/18075860/attachment.p7s>

Hi all, Last week I noticed that the CertChecker in the Go implementation of x/crypto/ssh seems to be doing host principal validation incorrectly and filed the following bug: https://github.com/golang/go/issues/20273 By default they are looking for a principal named "host:port" inside of the certificate presented by the server, instead of just looking for the host as I believe OpenSSH

...uthorized_keys or via a TrustedUserCAKeys option in sshd_config(5) (for user authentication), or in known_hosts (for host authentication). Documentation for certificate support may be found in ssh-keygen(1), sshd(8) and ssh(1) and a description of the protocol extensions in PROTOCOL.certkeys. * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618 * Add the ability to revo...