search for: certkeys

https://bugzilla.mindrot.org/show_bug.cgi?id=2389 Bug ID: 2389 Summary: update the PROTOCOL.certkeys spec to avoid confusion regarding encoding of critical options fields Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component:...

...e, allowing the authenticity of the options to be verified readily. However, I have not been able to find too much for specifying behaviors, etc. server-side in relation to custom certificate extensions in the documentation. Is there any extant documentation that goes into more depth than PROTOCOL.certkeys that anyone would be able to point me towards before I start digging into source? My digging for documentation has not been very fruitful as of yet. Thank you very much to anyone that is able to shine some light on this topic or outright tell me that I am wrong for contemplating it and why. -- N...

...regarding the binary format of the certificates generated with ssh-keygen, in particular when the critical options of source-address or force-command are present and the correspondence to the certificate format specifications such as http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD . It appears that the string values of the source-address and force-command are prepended with *two* length offsets - 4-byte offset with the integer value of len(string)+4 followed by the 4-byte offset with the proper length, and then the string. Is it a correct behavior? I could not fi...

...ENCE $(DESTDIR)$(sshdocdir)/LICENCE - $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW - $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux - $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README - $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns - $(INSTALL) -m 644 $(srcdir)/README....

This patch against OpenBSD -current adds a simple form of PKI to OpenSSH. We'll be using it at work. See README.certkey (the first chunk of the patch) for details. Everything below is BSD licensed, sponsored by Allamanda Networks AG. Daniel --- /dev/null Wed Nov 15 15:14:20 2006 +++ README.certkey Wed Nov 15 15:13:45 2006 @@ -0,0 +1,176 @@ +OpenSSH Certkey + +INTRODUCTION + +Certkey allows

...of the > options to be verified readily. However, I have not been able to find > too much for specifying behaviors, etc. server-side in relation to > custom certificate extensions in the documentation. > > Is there any extant documentation that goes into more depth than > PROTOCOL.certkeys that anyone would be able to point me towards before > I start digging into source? My digging for documentation has not been > very fruitful as of yet. There's not really any more documentation beyond the PROTOCOL.certkeys file. Extensions are simply name=value pairs and unrecognised ex...

Besides ssh.com?s PrivX product, has anyone created a web service that can be used to issue temporary certkeys to authenticated users? Any pointers appreciated! jd -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2393 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/201712...

...host. OpenSSH checks whether the hostname is a principal, whereas the Go library is instead checking whether "host:port" is a principal. Uri (earlier in this thread) does answer this question clearly (that the principal should be the hostname only), and, now that I've found PROTOCOL.certkeys, this seems to be spelt out unambiguously there too: "valid principals" is a string containing zero or more principals as strings packed inside it. These principals list the names for which this certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and usernames for SSH_CER...

Hi, I noticed that in regress/cert-userkey.sh the signing key is added to the authorized_keys file with the tag "cert-authority" whereas in sshd(8) the tag is documented as "from=cert-authority." Since the former seems to work, I assume the latter is a typo. While on the subject of typos (which I have been known to make more than my fair share of) I noticed the phrase

On Sun, Dec 24, 2017 at 9:54 PM, David Newall <openssh at davidnewall.com> wrote: > On 25/12/17 00:11, John Devitofranceschi wrote: >> >> Besides ssh.com?s PrivX product, has anyone created a web service that can >> be used to issue temporary certkeys to authenticated users? >> >> Any pointers appreciated! > > > I expect that what I'm about to say is exactly what you're not interested in > hearing, but I think it's something that should be said nonetheless. > > The benefit of a central authority issuing...

> Uri (earlier in this thread) does answer this question clearly (that > the principal should be the hostname only), and, now that I've found > PROTOCOL.certkeys, this seems to be spelt out unambiguously there too: In turn this means: One cannot expect several SSH services on a single host to be securely distinguishable from each other by their particular service key. So if one of the SSH services gets compromised all SSH services on th...

...Version: -current Hardware: amd64 OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: mariano.cano at gmail.com According to PROTOCOL.certkeys critical options must be lexically ordered by name: ``` Options must be lexically ordered by "name" if they appear in the sequence. Each named option may only appear once in a certificate. ``` This works for the well-known options 'source-address' and 'force-command' but...

...eed to export part of the private key onto the client node: `ssh-keygen -K` covers this. Then a typical workflow for me involves signing some other key which will be used for certificate authentication: ``` ssh-keygen -s ~/.ssh/sk/work_ed25519_sk -I tim@<localhost> -n work -V -5m:+8h ~/.ssh/certkeys/work_ed25519 ``` That creates a cert which will be valid for eight hours. The remote servers are configured to accept certs signed by my yubikey together with the principal name of "work". The benefit of this approach is the certificate is time-limited and backed by 2FA, but you can go...

Hi, I am a new Ubuntu user and I am trying to get rid of Windows from all my computers forever! The only hurdle is my medical billing software Kareo. When I tried to run the exe file it states that it is extracting an MSI file and then shut out. I tried extracting the msi files running w/ the wine msi switch but it states that the msi file cannot run w/o the setup file. The program can be freely

Hi, has anybody out there who has setup kannel on CentOS 5. I just installed from src.rpm pls see below for installed rpms. [root at mailgw ~]# rpm -qa |grep kannel kannel-1.4.1-2.rf kannel-debuginfo-1.4.1-2.rf kannel-devel-1.4.1-2.rf I want to setup kannel for sending SMS via a web browser on this CentOS 5 box. I googled a lot. But I could not find a lot of info. I think I need an external

...@@ -42,11 +42,13 @@ install-sshdoc: $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.agent $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns $(INSTALL) -m 644 $(srcdir)/README.p...

Stuart Henderson wrote: >> This is why I push for challenge/response tokens, not simply >> cert authentication, and really wish that FIDO (such as yubikey) >> was an option, but the discussions I've seen about suporting >> that have not been encouraging. > > hmm? That works pretty well in OpenSSH. hmm, what I'm finding doesn't seem to use the FIDO

Hi, I just committed this: > - djm at cvs.openbsd.org 2010/04/16 01:47:26 > [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] > [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] > [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] > [sshconnect.c sshconnect2.c sshd.c] > revised certificate format ssh-{dss,rsa}-cert-v01 at openssh.com wit...

HI! I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and description for CLI arg -O in ssh-keygen(1). It seems to me that there could be a 1:1 mapping between SSH cert extensions and authz key options by just adding prefix "permit-" to the key option. But the man pages differ regarding case of "permit-x11-forwarding" and "X11-forwarding". [1] also

...t-X11-forwarding','permit-pty'], key=str.lower) ['permit-port-forwarding', 'permit-pty', 'permit-X11-forwarding'] Ciao, Michael. [1] https://man.openbsd.org/ssh-keygen.1#permit-x11-forwarding [2] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180124/18075860/attachment.p7s>