search for: engert

...per interface, which isn't a problem as gss_import will select the right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. You should never have a hostname with two ip-addresses, Kerberos won't normaly work. Regards Markus On Mon Sep 13 16:14 , 'Douglas E. Engert' <deengert at anl.gov> sent: > > >Darren Tucker wrote: > >> Markus Moeller wrote: >> >>> Could you add to this release a patch which allows gssapi to be used >>> on a multihomed server please ? There have been several proposals >>>...

...dCurve would probably do. But what OID to use? I'm happy to reserve 1.3.6.1.4.1.11591.9 to mean a namedCurve value for Ed25519 in PKCS#11. I'm not sure this approach works out -- but let's try. /Simon > Cheers, > > Thomas > > On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert at gmail.com> wrote: > >> >> >> On 10/8/2015 4:49 AM, Simon Josefsson wrote: >> >>> Mathias Brossard <mathias at brossard.org> writes: >>> >>> Hi, >>>> >>>> I have made a patch for enabling the use o...

...-agent). At least it might be useful as a test case. > > /Simon > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Douglas E. Engert <DEEngert at gmail.com>

...and OpenSSH builds with the GSSAPI. There is also a seperate issue with the MIT version of krb5-config with finding the location of gssapi.h. Its in thier .../include/gssapi which is not returned by the krb5-config --cflags. I have reported that to MIT as a seperate bug. -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444

...uld be seperate as it has no real dependency on the MIT code. I would hope that the members of the OpenSSH community who use OpenAFS, Hiemdal and/or MIT could agree on a simple command line interface that would encourage the builders of OpenSSH to always have this enabled. -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444

Hi, we are using usernames on our systems that contain a point '.', like "r.john". We found it necessary to patch the source to make the "scp" command work with those usernames. Cheers Kai --- openssh-2.2.0p1/scp.c Wed Aug 30 01:11:30 2000 +++ withpoint/scp.c Mon Dec 11 02:06:35 2000 @@ -1042,7 +1042,7 @@ c = *cp; if (c & 0200) goto bad; - if

On 6/24/2017 11:35 AM, Emmanuel Deloget wrote: > Hello Douglas, > > On Fri, Jun 23, 2017 at 9:16 PM, Douglas E Engert <deengert at gmail.com <mailto:deengert at gmail.com>> wrote: > > OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing > > a shim for OpenSSL-1.1, the OpenSC code has been converted to > > the OpenSSL-1.1 API and a sc-ossl-compat.h" file co...

I am trying to transition several HP/UX 11i (PA/RISC) servers from ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the GSSAPI include files: -=- gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include -DSSHDIR=\"/usr/local/etc\"

...st to those who wish to use KerberosGetAFSToken (currently requires Heimdal libkafs) in combination with GSSAPIDelegateCredentials. The patch is in the public domain and comes with no warranty whatsoever. Applies to pristine 3.8p1. Works for me on Solaris and Tru64. I'd probably have used Doug Engert's patch from 2004-01-30 if Heimdal's afslog command supported -setpag; although to be honest I don't really like the idea of children being able to change their parent's PAG. * modified files ./auth-krb5.c ./auth.h ./session.c * file diffs --- orig/auth-krb5.c +++ mo...

[[Sending again, as for some strange reason it is not accepted]] Hello OpenSSH developers, I maintain external patch for PKCS#11 smartcard support into OpenSSH[1] , many users already apply and use this patch. I wish to know if anyone is interesting in working toward merging this into mainline. I had some discussion with Damien Miller, but then he disappeared. Having standard smartcard

On Jan 17, 2017, at 9:57 AM, Douglas E Engert <deengert at gmail.com> wrote: > On 1/16/2017 2:09 PM, Ron Frederick wrote: >> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy b...

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

...loget >> >> (*) that does not mean openssl is not great. >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Douglas E. Engert <DEEngert at gmail.com>

Is there a way to run sshd on a windows 2000 server and have ssh clients authenticate to it using domain level authentication? Mike

I'm really scratching my head on this one. The server is running OpenSSH 5.1p1 on Solaris 9. The authentication is via PAM if that matters. # grep X11 sshd_config | sed '/^#/D' X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes # Now I attach to my 'master' sshd and follow all children to look for any evidence of "DISPLAY": # truss -f -a -e -p 14923

I took Markus Friedl's advice and set up a KbdintDevice for Kerberos password authentication/expiry. It took me a bit to wrap my head around privsep, but I think it's working properly (code stolen shamelessly from FBSD's PAM implementation :->). The hardest part was working out how to get the interaction between krb5_get_init_creds_password() (along with the prompter) to work

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

In an environment where users use smart cards to authenticate on Windows and then use ssh to login to UNIX systems via GSSAPI, it is nigh impossible to renew/refresh the Kerberos credentials in the UNIX session. If the user fails to renew their credentials before they expire, the user is stuck and must log out and log back in to get valid tickets. Meanwhile it is entirely likely that on the

Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. I've also got MIT Kerberos for Windows installed on the client, and Leash shows that my tickets ARE forwardable. Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and OpenSSH 4.0p1. I've created two AD accounts, and extracted keys mapped to "host/hostname.domainname.com at REALM.COM" and

Hi All, Any thoughts on why, while everything seems ok at the OS level (getent , id -a ) Samba doesn't pickup any supplementary groups when Solaris is configured with 'group: files ldap' in nsswitch.conf and using it's own native nss_ldap.so.1 but does when using PADL's nss_ldap? Everything else is equal. Do they use/accept different calls or could it be an