search for: enablesshkeysign

It looks like host based authentication will not work if you attempt to set EnableSSHKeysign on a per host basis. Ie. This does not work. ------- Host ou8 HostName ou8.somedomain.com HostbasedAuthentication yes EnableSSHKeysign yes NoHostAuthenticationForLocalhost yes ------- Unless you also add ----- Host * EnableSSHKeysign yes ----- Is this the intended behavior? -- Tim Ri...

http://bugzilla.mindrot.org/show_bug.cgi?id=786 Summary: ssh is still looking at default config file when it is about EnableSSHKeysign Product: Portable OpenSSH Version: 3.7p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy: blueseawolf at yaho...

http://bugzilla.mindrot.org/show_bug.cgi?id=599 Summary: EnableSSHKeysign not documented Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: Documentation AssignedTo: openssh-bugs at mindrot.org Reporte...

I run OpenSSH on linux @ client which ssh /usr/local/bin/ssh ssh -v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 @ server which sshd /usr/local/bin/sshd sshd -v unknown option -- V OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time]

Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure the client's public keys are in the server...

A few options appear to be missing from the list in ssh's manual. The one I didn't add is EnableSSHKeysign, whose description implies it is only effective when placed in the system-wide config file. Index: ssh.1 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.1,v retrieving revision 1.319 diff -u -p -r1.319 ssh.1 --- ssh.1 7 May 2011 23:20:25 -0000...

The problem I am seeing was introduced between 6.4p1 and 6.5p1 (and still exists in 6.6p1). With HostbasedAuthentication/EnableSSHKeysign turned on, I am seeing one of two sets of messages: no matching hostkey found ssh_keysign: no reply key_sign failed and not a valid request ssh_keysign: no reply key_sign failed Then in either case two password prompts: bowman at HOST.math.utah.edu's password: Permission denied, please t...

...es user confirmation if a key gets used, see '-c' in ssh-add(1). * sshd(8) now handles PermitRootLogin correctly when UsePrivilegeSeparation is enabled. * sshd(8) now removes X11 cookies when a session gets closed. * ssh-keysign(8) is disabled by default and only enabled if the new EnableSSHKeysign option is set in the global ssh_config(5) file. * ssh(1) and sshd(8) now handle 'kex guesses' correctly (key exchange guesses). * ssh(1) no longer overwrites SIG_IGN. This matches behaviour from rsh(1) and is used by backup tools. * setting ProxyCommand to 'none' disables...

...es user confirmation if a key gets used, see '-c' in ssh-add(1). * sshd(8) now handles PermitRootLogin correctly when UsePrivilegeSeparation is enabled. * sshd(8) now removes X11 cookies when a session gets closed. * ssh-keysign(8) is disabled by default and only enabled if the new EnableSSHKeysign option is set in the global ssh_config(5) file. * ssh(1) and sshd(8) now handle 'kex guesses' correctly (key exchange guesses). * ssh(1) no longer overwrites SIG_IGN. This matches behaviour from rsh(1) and is used by backup tools. * setting ProxyCommand to 'none' disables...

...es user confirmation if a key gets used, see '-c' in ssh-add(1). * sshd(8) now handles PermitRootLogin correctly when UsePrivilegeSeparation is enabled. * sshd(8) now removes X11 cookies when a session gets closed. * ssh-keysign(8) is disabled by default and only enabled if the new EnableSSHKeysign option is set in the global ssh_config(5) file. * ssh(1) and sshd(8) now handle 'kex guesses' correctly (key exchange guesses). * ssh(1) no longer overwrites SIG_IGN. This matches behaviour from rsh(1) and is used by backup tools. * setting ProxyCommand to 'none' disables...

The latter versions of openssh (3.4,3.5 and 3.6.1) all seem to suffer from a broken ssh-keysign binary. This causes HostbasedAuthentication to fail. We have installed 3.6.1p1 on a Solaris 8 machine using openssl-0.9.6i. This fails thusly ssh server <......some \digits removed - a key perhaps?> ssh_keysign: no reply key_sign failed a at server's password For version 3.4p1 we patched

Hello, I've troubles getting the hostbased method to work. I've given up on system-to-system for now (different versions), and I'm just trying to debug localhost. As far as I can see, the key is accepted, but then a sudden "Failed hostbased" is returned: [...] debug3: mm_answer_keyallowed: key 0x8099bc0 is disallowed debug3: mm_append_debug: Appending debug messages for

https://bugzilla.mindrot.org/show_bug.cgi?id=2378 Bug ID: 2378 Summary: Allow login to a role using Hostbased auth on platforms supporting PAM_AUSER Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5

...es user confirmation if a key gets used, see '-c' in ssh-add(1). * sshd(8) now handles PermitRootLogin correctly when UsePrivilegeSeparation is enabled. * sshd(8) now removes X11 cookies when a session gets closed. * ssh-keysign(8) is disabled by default and only enabled if the new EnableSSHKeysign option is set in the global ssh_config(5) file. * ssh(1) and sshd(8) now handle 'kex guesses' correctly (key exchange guesses). * ssh(1) no longer overwrites SIG_IGN. This matches behaviour from rsh(1) and is used by backup tools. * setting ProxyCommand to 'none' disables...

On 09/13/2018 07:54 PM, Darren Tucker wrote: > I'd guess that the reason it doesn't work is that the key is encrypted > and neither the agent nor a tty to ask for the decryption passphrase > is available. Try repeating your command line test after unsetting > SSH_AUTH_SOCK > Okay. That reproduced the issue. Is there a recommended way to provide the decryption

...onf.c.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/readconf.c Tue Apr 15 23:09:43 2003 @@ -114,7 +114,7 @@ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, + oEnableSSHKeysign, oConnectTimeout, oDeprecated } OpCodes; @@ -188,6 +188,7 @@ { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { &quot...

On Fri, Jan 09, 2015 at 13:00:10 -0800, grantksupport at operamail.com wrote: > Hi > > On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote: > > >> The one you are missing is EnableSSHKeysign. > > > > I suppose it's worth asking: is your ssh-keysign suid root > > (and are the permissions on your host keys sufficiently tight)? > > Note that everything works correctly with other auth methods: pubkey, password, ... > I suspect key perms issues would've...

Heya, Most of the windows ssh clients (putty, securecrt) have anti-idle features. They offer either a null packet or protocol no-op or user defined string to be sent over every x seconds. Is this possible or planned with the OpenSSH client? Our draconian firewall admins have started timing out ssh sessions. Yes I'm aware I could hack up a port forwarding dumb traffic process, but was

...y debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: ''/etc/ssh/ssh_config'' contents: Host * ForwardAgent yes ForwardX11 yes ForwardX11Trusted yes RhostsRSAAuthentication yes HostbasedAuthentication yes AddressFamily inet EnableSSHKeysign yes StrictHostKeyChecking ask Protocol 2 PreferredAuthentications hostbased,publickey,keyboard-interactive,password UsePrivilegedPort yes Previous version (openssh-5.9p1 with OpenSSL 1.0.1e and zlib-1.2.3) worked fine, with added ''Cipher blowfish'' in the ''/e...