search for: deengert

...which isn't a problem as gss_import will select the right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. You should never have a hostname with two ip-addresses, Kerberos won't normaly work. Regards Markus On Mon Sep 13 16:14 , 'Douglas E. Engert' <deengert at anl.gov> sent: > > >Darren Tucker wrote: > >> Markus Moeller wrote: >> >>> Could you add to this release a patch which allows gssapi to be used >>> on a multihomed server please ? There have been several proposals >>> in the past to fi...

...d probably do. But what OID to use? I'm happy to reserve 1.3.6.1.4.1.11591.9 to mean a namedCurve value for Ed25519 in PKCS#11. I'm not sure this approach works out -- but let's try. /Simon > Cheers, > > Thomas > > On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert at gmail.com> wrote: > >> >> >> On 10/8/2015 4:49 AM, Simon Josefsson wrote: >> >>> Mathias Brossard <mathias at brossard.org> writes: >>> >>> Hi, >>>> >>>> I have made a patch for enabling the use of ECDSA keys...

...least it might be useful as a test case. > > /Simon > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Douglas E. Engert <DEEngert at gmail.com>

On 6/24/2017 11:35 AM, Emmanuel Deloget wrote: > Hello Douglas, > > On Fri, Jun 23, 2017 at 9:16 PM, Douglas E Engert <deengert at gmail.com <mailto:deengert at gmail.com>> wrote: > > OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing > > a shim for OpenSSL-1.1, the OpenSC code has been converted to > > the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of d...

On Jan 17, 2017, at 9:57 AM, Douglas E Engert <deengert at gmail.com> wrote: > On 1/16/2017 2:09 PM, Ron Frederick wrote: >> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the Op...

[[Sending again, as for some strange reason it is not accepted]] Hello OpenSSH developers, I maintain external patch for PKCS#11 smartcard support into OpenSSH[1] , many users already apply and use this patch. I wish to know if anyone is interesting in working toward merging this into mainline. I had some discussion with Damien Miller, but then he disappeared. Having standard smartcard

...t; >> (*) that does not mean openssl is not great. >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Douglas E. Engert <DEEngert at gmail.com>

...builds with the GSSAPI. There is also a seperate issue with the MIT version of krb5-config with finding the location of gssapi.h. Its in thier .../include/gssapi which is not returned by the krb5-config --cflags. I have reported that to MIT as a seperate bug. -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444

...ate as it has no real dependency on the MIT code. I would hope that the members of the OpenSSH community who use OpenAFS, Hiemdal and/or MIT could agree on a simple command line interface that would encourage the builders of OpenSSH to always have this enabled. -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444

...in sesion.c Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: deengert at anl.gov The gss-serv-krb5.c will call do_pam_putenv to set the KRB5CCNAME so it can be used by a PAM routine. But the call to ssh_gssapi_storecreds is called from do_exec which is way to late to be usable by do_pam_session or do_pam_setcred. Suggestion is to move the call. ------- You are...

In an environment where users use smart cards to authenticate on Windows and then use ssh to login to UNIX systems via GSSAPI, it is nigh impossible to renew/refresh the Kerberos credentials in the UNIX session. If the user fails to renew their credentials before they expire, the user is stuck and must log out and log back in to get valid tickets. Meanwhile it is entirely likely that on the

Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. I've also got MIT Kerberos for Windows installed on the client, and Leash shows that my tickets ARE forwardable. Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and OpenSSH 4.0p1. I've created two AD accounts, and extracted keys mapped to "host/hostname.domainname.com at REALM.COM" and

Hello, I have a question about SSH with Kerberos password authentication . Do I receive any host ticket to my client machine when I do ssh connection with Kerberos password authenticaiton? If dont, why? If I login to remote machine through telnet with Kerberos Password authentication [through PAM-kerberos], then I can see the tickets with klist. But with the same setup for sshd, I cannot see

I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4: Since the user authentication process by its nature authenticates only the client,

I am trying to transition several HP/UX 11i (PA/RISC) servers from ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the GSSAPI include files: -=- gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include -DSSHDIR=\"/usr/local/etc\"

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

This is on Solaris 10 x86, do not see this behavior on Solaris 10 sparc. Seen on multiple machines. Sshd debug: debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1:

I've spent the morning looking at making some RPMs for Fedora Core 1 and run into a problem with GSSAPI. Basically the default install of Fedora doesn't come with the necessary gssapi code to build the RPMs by default (i.e. you need to say %define kerberos5 0 in openssh.spec). Since Fedora is going to fork off from RedHat I was going to create a set of patches to make a

Upgrading to the 3.8.x versions of OpenSSH appears to have broken support for Win2K KDC's. Win2K supports gssapi just fine, but the new gssapi-with-mic does not appear to work. I was able to use the old 3.6.x versions with Kerberos authentication, and the newer 3.7.x versions with gssapi authentication, but 3.8.x does not seem to work at all. The mitm patch provided for 3.8p1 does work, but

Does anyone see a need for a patch that allows Kerberos password authentication with the correct local options? I'm simply trying to get a feel for if it's worth my time to investigate it further. The issue is that we also use a patch that does Kerberos ticket passing and our ticket lifetime is slightly higher than the default 10 hours. Users experience different behavior when they