search for: host_key

...+ { "offendingkeyoverride", oOffendingKeyOverride }, { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "tcpkeepalive", oTCPKeepAlive }, @@ -434,6 +435,7 @@ case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; + parse_yesnoask: arg = strdelim(&s); if (!arg || *arg == '\0') @@ -452,6 +454,10 @@ *intptr = value; break; + case oOffendingKeyOverride: + intptr = &options->offending_key_override; + goto parse_flag; + case oCompression: intptr = &opti...

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

...h -p 22136 root at firewall as well as ssh -p 22137 root at firewall and the first one connects me to the server "a" where the second one connects me to servber "b". The two servers have identical host-keys fpr rsa1, rsa und dsa cases. With protocal 1.5 the client learned the host_key and everything worked fine that means I can connect with "a" and "b" and the client doesn't tell me something from "man in the middle..." With the lines ssh -2 -p 22136 root at firewall as well as ssh -2 -p 22137 root at firewall the client doesn't recogni...

Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha

...the rexec child, but I decided I thought it was slightly nicer to decrypt the key once and pass it along rather than redoing it every time. I can send the previous version if that would be preferred though -- this key-passing version does have some resulting ugliness in its handling of options.num_host_key_files, as described in a comment in the patch. Thanks, Zev Weiss -- Makefile.in | 2 +- buffer.h | 5 ++ bufkey.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ sshd.c | 141 ++++++++++++++++++++++++++++++++++++++++++++++++----------- 4 files changed, 253 inse...

...p; (r = sshca_write(key, f)) == 0)) + success = 1; + else if ((r = sshkey_write(key, f) == 0)) success = 1; else error_fr(r, "sshkey_write"); diff --git a/sshconnect.c b/sshconnect.c index 7cf6b6386..72bdc7d1f 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -964,7 +964,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, HostStatus host_status = -1, ip_status = -1; struct sshkey *raw_key = NULL; char *ip = NULL, *host = NULL; - char hostline[1000], *hostp, *fp, *ra; + char hostline[1000], *hostp, *fp, *cafp, *ra; char msg[1024]; const char *type, *fail_re...

...latest snapshot of the portable OpenSSH version. Sorry if this causes any inconvenience. Regards, Jan diff -ur openssh/dns.c openssh-sshfp/dns.c --- openssh/dns.c 2010-08-31 14:41:14.000000000 +0200 +++ openssh-sshfp/dns.c 2010-11-27 23:36:30.775455403 +0100 @@ -173,7 +173,7 @@ */ int verify_host_key_dns(const char *hostname, struct sockaddr *address, - Key *hostkey, int *flags) + Key *hostkey, int *flags, const char *canohost) { u_int counter; int result; @@ -200,7 +200,7 @@ return -1; } - result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, + result = getrrsetbyname(canohost...

...t_hostkey_public_by_type(int); Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); diff --git a/kex.h b/kex.h index 680264a..b77a2c2 100644 --- a/kex.h +++ b/kex.h @@ -139,6 +139,7 @@ struct Kex { Key *(*load_host_public_key)(int); Key *(*load_host_private_key)(int); int (*host_key_index)(Key *); + void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int); void (*kex[KEX_MAX])(Kex *); }; diff --git a/kexdhs.c b/kexdhs.c index 1512863..f6d43f2 100644 --- a/kexdhs.c +++ b/kexdhs.c @@ -80,9 +80,6 @@ kexdh_server(Kex *kex) if (server_host_public == NULL) fatal(...

...ified in the sshd_config that does not exist (I used "./sshd -d -d -d -f sshd_config" with the shipped sshd_config file, to work around incompatibilities with the installed sshd.com's sshd_config, and I do not have ssh2 host keys on this machine), sshd will leave sensitive_data.host_keys[<i>] uninitialized - the memory area is malloc()ed, so never initialized, and later on destroy_sensitive_data reads a pointer from it and tries to overwrite *that* memory location. A quick fix is appended below: if a host key file can't be read, host_keys[i] is set to NULL. This does...

...39;t have time to clean it up this month. -- kolya -------------- next part -------------- --- sshconnect.c 2004/10/02 21:27:29 1.1 +++ sshconnect.c 2004/10/02 22:01:52 @@ -716,7 +716,7 @@ "have requested strict checking.", type, host); goto fail; } else if (options.strict_host_key_checking == 2) { - char msg1[1024], msg2[1024]; + char msg1[1024], msg2[1024], msg_same_key[1024]; if (show_other_keys(host, host_key)) snprintf(msg1, sizeof(msg1), @@ -724,6 +724,29 @@ " known for this host."); else snprintf(msg1, sizeof(msg1), ".&quo...

...22:03:20 2000 +++ sshd.c Mon May 15 12:04:34 2000 @@ -404,9 +404,12 @@ destroy_sensitive_data(void) { /* Destroy the private and public keys. They will no longer be needed. */ - RSA_free(public_key); - RSA_free(sensitive_data.private_key); - RSA_free(sensitive_data.host_key); + if (public_key != NULL) + RSA_free(public_key); + if (sensitive_data.private_key != NULL) + RSA_free(sensitive_data.private_key); + if (sensitive_data.host_key != NULL) + RSA_free(sensitive_data.host_key); if (sensitive_data.ds...

...flag: intptr = &options->check_host_ip; goto parse_flag; +#ifdef HASH_KNOWN_HOSTS + case oHashKnownHosts: + intptr = &options->hash_known_hosts; + goto parse_flag; +#endif + case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; arg = strdelim(&s); @@ -793,6 +805,9 @@ initialize_options(Options * options) options->bind_address = NULL; options->smartcard_device = NULL; options->no_host_authentication_for_localhost = - 1; +#ifdef HASH_KNOWN_HOSTS + options->hash_known_hosts = -1; +#e...

--- sshd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sshd.c b/sshd.c index dda8d9b77..cbdced5db 100644 --- a/sshd.c +++ b/sshd.c @@ -1533,6 +1533,8 @@ main(int ac, char **av) } else { do_log2(ll, "Unable to load host key: %s", options.host_key_files[i]); + sshkey_free(pubkey); + pubkey = NULL; sensitive_data.host_keys[i] = NULL; sensitive_data.host_pubkeys[i] = NULL; continue; -- 2.45.2

Howdy -- I have a number of servers with host keys validated by certificates. These systems are behind a load-balanced frontend, and the certificates are signed as valid for the DNS name used by that common frontend address. This works well for the primary use case of the systems; however, when wishing to address only a single unit within the pool, the certificate cannot be used to validate that

...eychecking", oStrictHostKeyChecking }, + { "serverlieswarning", oServerLiesWarning }, { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, @@ -402,6 +403,10 @@ intptr = &options->verify_host_key_dns; goto parse_flag; + case oServerLiesWarning: + intptr = &options->server_lies_warning; + goto parse_flag; + case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; arg = strdelim(&s); @@ -856,6 +861,7 @@ options->no_host_authentication_for...

...mand 'ls -alni /proc' disabled (badness 2) debug: Command 'ps -efl' disabled (badness 2) debug: Command 'ipcs -a' disabled (badness 2) debug: Seeded RNG with 35 bytes from programs debug: Seeded RNG with 3 bytes from system calls respond_to_rsa_challenge: public_key 895 < host_key 768 + SSH_KEY_BITS_RESERVED 128 debug: Calling cleanup 0x3a08c(0x0) debug: Calling cleanup 0x3f4b0(0x0) debug: writing PRNG seed to file /home1/sa/.ssh/prng_seed

Hi, I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with FIPS 140-2 OpenSSL. These are based on previously reported patches by Steve Marquess <marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>, for ver. OpenSSH 3.8. Note that these patches are NOT OFFICIAL, and MAY be used freely by anyone. Issues [partially] handled: SSL FIPS Self test. RC4,

...truct hostkeys *, const char *, const Key *, const char *); void free_hostkeys(struct hostkeys *); HostStatus check_key_in_hostkeys(struct hostkeys *, Key *, diff --git a/sshconnect.c b/sshconnect.c index 07800a6..62306ac 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -718,13 +718,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, Key *raw_key = NULL; char *ip = NULL, *host = NULL; char hostline[1000], *hostp, *fp, *ra; - char msg[1024]; + char msg[2048]; const char *type; const struct hostkey_entry *host_found, *ip_found; int len, cancelled_forwarding = 0;...

...() #1 0xef4dc7e4 in _doprnt () #2 0xef4e5c88 in vsnprintf () #3 0x42bfc in do_log (level=SYSLOG_LEVEL_DEBUG1, fmt=0xb9e28 "using hostkeyalias: %s", args=0xefffe510) at log.c:385 #4 0x42574 in debug (fmt=0xb9e28 "using hostkeyalias: %s") at log.c:159 #5 0x20c04 in check_host_key (host=0x5a "", hostaddr=0xf3560, host_key=0xffaa8, readonly=0, user_hostfile=0x81 "", system_hostfile=0x69 " -v pf-i400") at sshconnect.c:561 #6 0x21634 in verify_host_key (host=0xfa790 "pf-i400", hostaddr=0xf3560, host_key=0xffaa8) at sshconnect.c:8...

...2001 @@ -37,6 +37,7 @@ #include "packet.h" #include "mpaux.h" #include "uidswap.h" +#include "compat.h" #include "log.h" #include "readconf.h" #include "key.h" @@ -960,7 +961,8 @@ sum_len += clen; rbits = BN_num_bits(host_key->n); - if (bits != rbits) { + if (bits != rbits && + !((datafellows & SSH_BUG_SERVERLIESSIZE) && (rbits + 1 == bits))) { log("Warning: Server lies about size of server host key: " "actual size is %d bits vs. announced %d.", rbits, bits); l...