search for: eijdenberg

On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote: > On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > > I guess a case could be made for ssh-add to always set a timeout when > > adding a certificate with an expiry time, but I think for now I'm > > happy enough to do that on our end. > > That sounds like a fine idea. Damien, to clarify did you mean it would be a...

https://bugzilla.mindrot.org/show_bug.cgi?id=2617 Bug ID: 2617 Summary: sign_and_send_pubkey: no separate private key for certificate Product: Portable OpenSSH Version: 7.3p1 Hardware: 68k OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: ssh

On Wed, 3 Apr 2019, Adam Eijdenberg wrote: > On Wed, Apr 3, 2019 at 9:43 AM Damien Miller <djm at mindrot.org> wrote: > > Could you try turning off IPQoS setting (ssh -oIPQoS=none ...) and seeing > > whether that makes any difference? > > Yes - setting -oIPQoS=none on the client allows for a successful &g...

...ts a lifetime parameter, suggest changing behaviour of ssh-add such that we always use the expiry date in the certificate as an upper bound for the lifetime. Sample usage: $ ssh-add ~/.ssh/id_androgogic_shortlived_rsa Set lifetime to 74594 to match certificate expiry time. Identity added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa (/Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa) Lifetime set to 74594 seconds Certificate added: /Users/aeijdenberg/.ssh/id_androgogic_shortlived_rsa-cert.pub (adam/androbot (for adam.eijdenberg at androgogic.com)) Lifetime set to 74594 seconds -- You are...

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client o...

On Thu, 11 Oct 2018, Damien Miller wrote: > On Thu, 11 Oct 2018, Adam Eijdenberg wrote: > > > Thanks for looking into. I wasn't able to get the patch to apply > > cleanly to the portable source for whatever reason, so I manually made > > the changes and got a little further. I now get past the "no mutual > > signature algorithm" client...

On Thu, Oct 11, 2018 at 10:41 AM Damien Miller <djm at mindrot.org> wrote: > On Wed, 10 Oct 2018, Adam Eijdenberg wrote: > > We see this error on the client side: > > > > debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> > > ... > > debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key > > debug1: send_pubkey_test: no mutual signature algo...

Hi all, Last week I noticed that the CertChecker in the Go implementation of x/crypto/ssh seems to be doing host principal validation incorrectly and filed the following bug: https://github.com/golang/go/issues/20273 By default they are looking for a principal named "host:port" inside of the certificate presented by the server, instead of just looking for the host as I believe OpenSSH

Damien Miller wrote: > On Thu, 2 Feb 2017, Adam Eijdenberg wrote: > >> On Thu, Feb 2, 2017 at 10:42 AM Damien Miller <djm at mindrot.org> wrote: >>> On Thu, 2 Feb 2017, Adam Eijdenberg wrote: >>>> I guess a case could be made for ssh-add to always set a timeout when >>>> adding a certificate with an expiry t...

On Wed, May 17, 2017 at 2:46 AM, Damien Miller <djm at mindrot.org> wrote: > On Mon, 15 May 2017, Adam Eijdenberg wrote: >> https://github.com/golang/go/issues/20273 >> >> By default they are looking for a principal named "host:port" inside >> of the certificate presented by the server, instead of just looking >> for the host as I believe OpenSSH does. > > Darren w...

On Thu, Feb 2, 2017 at 1:16 AM, Peter Moody <mindrot at hda3.com> wrote: > why not add the certificate to the running ssh-agent with a timeout > that expires when the cert does? That's an excellent idea. I've modified our tooling to do exactly that (https://github.com/continusec/geecert/commit/dfeee14b278e28d15bf532bb6e6e8ffe530e6b11). Thank you for the suggestion. > I

On Wed, 3 Apr 2019, Adam Eijdenberg wrote: > > From: Damien Miller <djm at mindrot.org> > > Thanks for testing - are you able to see if there's anything in > > the server logs? > > Hi Damien, > > I've been able to reproduce being unable to successfully connect to > EC2 instances launc...

On Mon, May 15, 2017 at 11:39 AM, Peter Moody <mindrot at hda3.com> wrote: > my reading of the sshd manpage is that ssh is more permissive than it should be > > SSH_KNOWN_HOSTS FILE FORMAT : > ... > > A hostname or address may optionally be enclosed within `[' and `]' > brackets then followed by `:' and a non-standard port number. Hi Peter, I'm not

On Thu, 11 Oct 2018, Adam Eijdenberg wrote: > On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote: > > Could you try this? > > > > diff --git a/sshconnect2.c b/sshconnect2.c > > index f104408..1d2906f 100644 > > --- a/sshconnect2.c > > +++ b/sshconnect2.c > > @@...

Hi, One of our users who is running an OS (I think it's the latest beta macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is unable to use our user SSH RSA certificates to authenticate to our servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017"). We see this error on the client side: debug1: kex_input_ext_info:

Hi OpenSSH developers; Thank you for your amazing work. I?m emailing to see if any knowledgeable OpenSSH developer is willing to help us review / revamp some patches we have for OpenSSH, and provide advice on some of the more advanced uses of OpenSSH. This would be a for pay contract engagement. We are trying to be super respectful of the process, and are happy to be very creative ? we are

As background, for one of my clients we built out a command line tool which does SSO with Google Apps, then generates a new SSH key pair, and sends this off to an internal service which verifies the request and then issues a new short lived (24 hour) certificate (if interested the code for the server and client is open-sourced here: https://github.com/continusec/geecert), overwriting the previous

Thanks for testing - are you able to see if there's anything in the server logs? I've just committed some extra verbosity in the client's log messages that might clarify where it is exiting (patch attached). -d On Fri, 29 Mar 2019, Adam Eijdenberg wrote: > On Wed, Mar 27, 2019 at 10:04 PM Damien Miller <djm at mindrot.org> wrote: > > > > OpenSSH 8.0p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. > > > > Snapshot releases for portable Open...

Hi, OpenSSH 8.0p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at