search for: fingerprint_hash

...ssh-agent Assignee: unassigned-bugs at mindrot.org Reporter: lwaynewalker at gmail.com The usage message and the man page both show that [-c | -s] [-Dd] are compatible with [command [arg ...]]. ``` $ ssh-agent -D /bin/bash usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash] [-P provider_whitelist] [-t life] [command [arg ...]] ssh-agent [-c | -s] -k $ ``` The SYNOPSIS and the usage message should both be changed to show that they are incompatible. This would have saved me hours: usage: ssh-agent [-a bind_address] [-E fingerprint_hash] [-P p...

...and 2 are open or directed to /dev/null */ @@ -511,7 +558,7 @@ main(int argc, char **argv) exit(2); } - while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) { + while ((ch = getopt(argc, argv, "kplLcdDxXE:e:s:t:")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); @@ -519,8 +566,15 @@ main(int argc, char **argv) fatal("Invalid hash algorithm \"%s\"", optarg); break; case 'k': + if (cert_only) + fatal("-k and -p are incompatible"); key_only = 1; break; + case ...

https://bugzilla.mindrot.org/show_bug.cgi?id=2332 Bug ID: 2332 Summary: Show more secure fingerprints than MD5 (e.g. SHA256) in ssh and ssh-keygen Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5

..._format] [-f input_keyfile]\n" " ssh-keygen -y [-f input_keyfile]\n" " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" - " ssh-keygen -l [-f input_keyfile]\n" + " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n" " ssh-keygen -B [-f input_keyfile]\n"); #ifdef ENABLE_PKCS11 fprintf(stderr, So far it seems to work for me. Thanks! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the...

...p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: vincent-openssh at vinc17.net The ssh-keygen(1) man page says: -E fingerprint_hash Specifies the hash algorithm used when displaying key fingerprints. Valid options are: ?md5? and ?sha256?. The default is ?sha256?. But sha1 is supported too. -- You are receiving this mail because: You are watching the assignee of the bug.

Hi, Is FIPS 140-2 patch for openssh 6.3.p1 available somewhere or do I have to make one using http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch ? Regards, Manish

...g, o->allow_agent_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); + dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);

Hello. I am trying to play through the following test scenario about certificate revocation on Ubuntu 18.04, which has OpenSSH of this version: OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n? 7 Dec 2017 1. A CA key is created ssh-keygen -t ed25519 -f ca 2. The CA public key is added to ~/.ssh/authorized_keys on some server: cert-authority ssh-ed25519 AAAA...e ca at yoga 3. A user key is created on a

https://bugzilla.mindrot.org/show_bug.cgi?id=2686 Bug ID: 2686 Summary: SSHD segfaults when trying to load RSA1 host keys Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: sshd

Hi, The code definitely attempts to unlink any old listener beforehand (see misc.c:unix_listener()) so I don't understand why that isn't being called. You might try simulating your configuration using sshd's -T and -C to make sure the flag is correctly being set. Could chroot be interfering? Some platforms implement additional restrictions on devices and sockets inside chroot. -d

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

...nnect2.c b/sshconnect2.c index 34dbf9a..fb24b5e 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1016,6 +1016,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) u_int skip = 0; int ret = -1; int have_sig = 1; + int i; char *fp; if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash, @@ -1053,6 +1054,33 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) } buffer_put_string(&b, blob, bloblen); + /* If the key is an input certificate, sign its private key instead. + * If no such private key exists, return failure and continue with + * other methods of authent...

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private