Displaying 20 results from an estimated 22 matches for "certkeys".
Did you mean:
certkey
2015 Apr 24
1
[Bug 2389] New: update the PROTOCOL.certkeys spec to avoid confusion regarding encoding of critical options fields
https://bugzilla.mindrot.org/show_bug.cgi?id=2389
Bug ID: 2389
Summary: update the PROTOCOL.certkeys spec to avoid confusion
regarding encoding of critical options fields
Product: Portable OpenSSH
Version: 6.8p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component:...
2019 May 21
2
OpenSSH Certificate Extensions
...e, allowing the authenticity of the
options to be verified readily. However, I have not been able to find too
much for specifying behaviors, etc. server-side in relation to custom
certificate extensions in the documentation.
Is there any extant documentation that goes into more depth than
PROTOCOL.certkeys that anyone would be able to point me towards before I
start digging into source? My digging for documentation has not been very
fruitful as of yet.
Thank you very much to anyone that is able to shine some light on this
topic or outright tell me that I am wrong for contemplating it and why.
--
N...
2015 Apr 23
3
double length prefix in ssh-keygen certificates (values of critical options)
...regarding the binary format of the certificates generated
with ssh-keygen, in particular when the critical options of source-address
or force-command are present and the correspondence to the certificate
format specifications such as
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
.
It appears that the string values of the source-address and force-command
are prepended with *two* length offsets - 4-byte offset with the integer
value of len(string)+4 followed by the 4-byte offset with the proper
length, and then the string. Is it a correct behavior? I could not fi...
2011 Oct 24
0
[patch/cygwin] don't require doc files
...ENCE $(DESTDIR)$(sshdocdir)/LICENCE
- $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
- $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
- $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
- $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
- $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
- $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
- $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
- $(INSTALL) -m 644 $(srcdir)/README....
2006 Nov 15
11
OpenSSH Certkey (PKI)
This patch against OpenBSD -current adds a simple form of PKI to
OpenSSH. We'll be using it at work. See README.certkey (the first chunk
of the patch) for details.
Everything below is BSD licensed, sponsored by Allamanda Networks AG.
Daniel
--- /dev/null Wed Nov 15 15:14:20 2006
+++ README.certkey Wed Nov 15 15:13:45 2006
@@ -0,0 +1,176 @@
+OpenSSH Certkey
+
+INTRODUCTION
+
+Certkey allows
2019 May 21
2
OpenSSH Certificate Extensions
...of the
> options to be verified readily. However, I have not been able to find
> too much for specifying behaviors, etc. server-side in relation to
> custom certificate extensions in the documentation.
>
> Is there any extant documentation that goes into more depth than
> PROTOCOL.certkeys that anyone would be able to point me towards before
> I start digging into source? My digging for documentation has not been
> very fruitful as of yet.
There's not really any more documentation beyond the PROTOCOL.certkeys
file. Extensions are simply name=value pairs and unrecognised ex...
2017 Dec 24
2
OpenSSH key signing service?
Besides ssh.com?s PrivX product, has anyone created a web service that can be used to issue temporary certkeys to authenticated users?
Any pointers appreciated!
jd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/201712...
2017 May 16
2
Golang CertChecker hostname validation differs to OpenSSH
...host. OpenSSH checks
whether the hostname is a principal, whereas the Go library is instead
checking whether "host:port" is a principal.
Uri (earlier in this thread) does answer this question clearly (that
the principal should be the hostname only), and, now that I've found
PROTOCOL.certkeys, this seems to be spelt out unambiguously there too:
"valid principals" is a string containing zero or more principals as
strings packed inside it. These principals list the names for which this
certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
usernames for SSH_CER...
2010 Mar 03
1
cert-authority and authorized_keys file
Hi,
I noticed that in regress/cert-userkey.sh the signing key is added to
the authorized_keys file with the tag "cert-authority" whereas in
sshd(8) the tag is documented as "from=cert-authority." Since the former
seems to work, I assume the latter is a typo.
While on the subject of typos (which I have been known to make more than
my fair share of) I noticed the phrase
2017 Dec 25
4
OpenSSH key signing service?
On Sun, Dec 24, 2017 at 9:54 PM, David Newall <openssh at davidnewall.com> wrote:
> On 25/12/17 00:11, John Devitofranceschi wrote:
>>
>> Besides ssh.com?s PrivX product, has anyone created a web service that can
>> be used to issue temporary certkeys to authenticated users?
>>
>> Any pointers appreciated!
>
>
> I expect that what I'm about to say is exactly what you're not interested in
> hearing, but I think it's something that should be said nonetheless.
>
> The benefit of a central authority issuing...
2017 May 17
2
Golang CertChecker hostname validation differs to OpenSSH
> Uri (earlier in this thread) does answer this question clearly (that
> the principal should be the hostname only), and, now that I've found
> PROTOCOL.certkeys, this seems to be spelt out unambiguously there too:
In turn this means:
One cannot expect several SSH services on a single host to be securely distinguishable
from each other by their particular service key. So if one of the SSH services gets
compromised all SSH services on th...
2020 Jul 27
7
[Bug 3198] New: Custom critical options are not lexically ordered
...Version: -current
Hardware: amd64
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: mariano.cano at gmail.com
According to PROTOCOL.certkeys critical options must be lexically
ordered by name:
```
Options must be lexically ordered by "name" if they appear in the
sequence. Each named option may only appear once in a certificate.
```
This works for the well-known options 'source-address' and
'force-command' but...
2011 May 08
5
Kareo please help
Hi,
I am a new Ubuntu user and I am trying to get rid of Windows from all my computers forever! The only hurdle is my medical billing software Kareo. When I tried to run the exe file it states that it is extracting an MSI file and then shut out.
I tried extracting the msi files running w/ the wine msi switch but it states that the msi file cannot run w/o the setup file. The program can be freely
2007 May 23
0
kannel on CentOS 5
Hi,
has anybody out there who has setup kannel on CentOS 5.
I just installed from src.rpm
pls see below for installed rpms.
[root at mailgw ~]# rpm -qa |grep kannel
kannel-1.4.1-2.rf
kannel-debuginfo-1.4.1-2.rf
kannel-devel-1.4.1-2.rf
I want to setup kannel for sending SMS via a web browser on this CentOS 5
box.
I googled a lot. But I could not find a lot of info.
I think I need an external
2010 Mar 09
2
[PATCH/cygwin]: Fix Makefiles
...@@ -42,11 +42,13 @@ install-sshdoc:
$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
+ $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
+ $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
$(INSTALL) -m 644 $(srcdir)/README.p...
2010 Apr 16
2
revised cert format and deprecation schedule
Hi,
I just committed this:
> - djm at cvs.openbsd.org 2010/04/16 01:47:26
> [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
> [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
> [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
> [sshconnect.c sshconnect2.c sshd.c]
> revised certificate format ssh-{dss,rsa}-cert-v01 at openssh.com wit...
2018 Jan 12
2
SSH cert extensions and authz key options
HI!
I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and
description for CLI arg -O in ssh-keygen(1).
It seems to me that there could be a 1:1 mapping between SSH cert
extensions and authz key options by just adding prefix "permit-" to the
key option.
But the man pages differ regarding case of "permit-x11-forwarding" and
"X11-forwarding". [1] also
2018 Jan 24
3
SSH cert extensions and authz key options
...t-X11-forwarding','permit-pty'],
key=str.lower)
['permit-port-forwarding', 'permit-pty', 'permit-X11-forwarding']
Ciao, Michael.
[1] https://man.openbsd.org/ssh-keygen.1#permit-x11-forwarding
[2]
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180124/18075860/attachment.p7s>
2017 May 15
5
Golang CertChecker hostname validation differs to OpenSSH
Hi all,
Last week I noticed that the CertChecker in the Go implementation of
x/crypto/ssh seems to be doing host principal validation incorrectly
and filed the following bug:
https://github.com/golang/go/issues/20273
By default they are looking for a principal named "host:port" inside
of the certificate presented by the server, instead of just looking
for the host as I believe OpenSSH
2010 Mar 08
0
Announce: OpenSSH 5.4 released
...uthorized_keys
or via a TrustedUserCAKeys option in sshd_config(5) (for user
authentication), or in known_hosts (for host authentication).
Documentation for certificate support may be found in ssh-keygen(1),
sshd(8) and ssh(1) and a description of the protocol extensions in
PROTOCOL.certkeys.
* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
stdio on the client to a single port forward on the server. This
allows, for example, using ssh as a ProxyCommand to route connections
via intermediate servers. bz#1618
* Add the ability to revok...