search for: host_key_fil

...explicit_bzero(passphrase, strlen(passphrase)); free(passphrase); fatal("Cannot load private key \"%s\": %s.", diff --git a/sshd.c b/sshd.c index 11571c01011..cea85de2404 100644 --- a/sshd.c +++ b/sshd.c @@ -1719,8 +1719,9 @@ main(int ac, char **av) if (options.host_key_files[i] == NULL) continue; - if ((r = sshkey_load_private(options.host_key_files[i], "", - &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) + if ((r = sshkey_load_private_type(KEY_UNSPEC, + options.host_key_files[i], "", &key, NULL)) != 0 && +...

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

...6")) != EOF) { + while ((opt = getopt(ac, av, "f:p:b:k:h:H:g:V:u:diqQ46")) != EOF) { switch (opt) { case '4': IPv4or6 = AF_INET; @@ -557,6 +557,9 @@ case 'h': options.host_key_file = optarg; break; + case 'H': + options.host_dsa_key_file = optarg; + break; case 'V': client_version_string = optarg; /* only makes sens...

...x_server; kex->server = 1; CHANGE TO kex->we_need = buffer_get_int(m); kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->server = 1; TO REMOVE DSA HOST KEY IN servconf.c if (options->protocol & SSH_PROTO_2) { options->host_key_files[options->num_host_key_files++] = _PATH_HOST_RSA_KEY_FILE; options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE; } CHANGE TO if (options->protocol & SSH_PROTO_2) { options->host_key_files[options->num_host_key_files++] = _PATH_HOST_RSA_...

...Status: NEW Severity: security Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: kircherlike at outlook.com We noticed that the sshd.c file contained such a code snippet: ... for (i = 0; i < options.num_host_key_files; i++) { int ll = options.host_key_file_userprovided[i] ? SYSLOG_LEVEL_ERROR : SYSLOG_LEVEL_DEBUG1; if (options.host_key_files[i] == NULL) continue; if ((r = sshkey_load_private(options.host_key_files[i],...

...the rexec child, but I decided I thought it was slightly nicer to decrypt the key once and pass it along rather than redoing it every time. I can send the previous version if that would be preferred though -- this key-passing version does have some resulting ugliness in its handling of options.num_host_key_files, as described in a comment in the patch. Thanks, Zev Weiss -- Makefile.in | 2 +- buffer.h | 5 ++ bufkey.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ sshd.c | 141 ++++++++++++++++++++++++++++++++++++++++++++++++----------- 4 files changed, 253 insertio...

...f (authctxt->pw->pw_uid == 0 || options.use_login) { + if (authctxt->pw->pw_uid == 0 || options.use_login) #endif + { /* File descriptor passing is broken or root login */ use_privsep = 0; goto skip; @@ -767,6 +780,8 @@ list_hostkey_types(void) for (i = 0; i < options.num_host_key_files; i++) { key = sensitive_data.host_keys[i]; if (key == NULL) + key = sensitive_data.host_pubkeys[i]; + if (key == NULL) continue; switch (key->type) { case KEY_RSA: @@ -819,6 +834,8 @@ get_hostkey_by_type(int type, int need_private) break; default: key = sensitive_...

...lt_algorithms = ALL # Load and initialize the engine init = 1 ---------------------------------- =========================================== Add to 'struct ServerOptions' in servconf.h: -------------------------------------------- 50a68,71 > int engineindex; /*engine index in host_key_files */ > char *engconffile; /*engine config information */ > char *engconfstanza; /* engine config stanza */ > -------------------------------------------- =================== Add to servconf.c: -------------------------------------------- 74a67,69 > options->eng...

...og init after log init before seed_rng after seed_rng before read_server_config after read_server_config ?before fill_default_server_options after fill_default_server_options sshd version OpenSSH_3.7.1p2 before lodaing private keys ?after lodaing private keys ?after lodaing private keys options.host_key_files[i]=/etc/ssh/ssh_host_rsa_key ?in key_load_private ?before key_load_public_rsa1 in buffer_init in buffer_append_space in buffer_get leaving from buffer_get in buffer_free ?before key_load_private_pem ?returning from key_load_private ?after key_load_private private host key: #0 type 1 RSA options.h...

...og init after log init before seed_rng after seed_rng before read_server_config after read_server_config before fill_default_server_options after fill_default_server_options sshd version OpenSSH_3.7.1p2 before lodaing private keys after lodaing private keys after lodaing private keys options.host_key_files[i]=/etc/ssh/ssh_host_rsa_key in key_load_private before key_load_public_rsa1 in buffer_init in buffer_append_space in buffer_get leaving from buffer_get in buffer_free before key_load_private_pem returning from key_load_private after key_load_private private host key: #0 type 1 RSA options.h...

One difference I notice is that in your failing example you are invoking /usr/bin/ld directly to link: /usr/bin/ld -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lutil -lz -lcrypt -lresolv whereas my example is

...IDENTITY_FILES]; + int group_private_key; /* Local TCP/IP forward requests. */ int num_local_forwards; --- ssh.c.orig Thu Nov 27 16:31:08 2003 +++ ssh.c Thu Nov 27 16:30:46 2003 @@ -634,11 +634,13 @@ PRIV_START; sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, - _PATH_HOST_KEY_FILE, "", NULL); + _PATH_HOST_KEY_FILE, "", NULL, options.group_private_key); sensitive_data.keys[1] = key_load_private_type(KEY_DSA, - _PATH_HOST_DSA_KEY_FILE, "", NULL); + _PATH_HOST_DSA_KEY_FILE, "", NULL, + options.group_private_key);...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

...========================= RCS file: /cvs/openssh_cvs/sshd.c,v retrieving revision 1.101 diff -u -r1.101 sshd.c --- sshd.c 2000/12/15 23:31:01 1.101 +++ sshd.c 2000/12/22 14:56:29 @@ -702,6 +706,7 @@ if (key == NULL) { error("Could not load host key: %.200s: %.100s", options.host_key_files[i], strerror(errno)); + sensitive_data.host_keys[i] = NULL; continue; } switch(key->type){ -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...

...with adding certificates using command line. Running /usr/sbin/sshd -c certfile returns sshd: illegal option -- c OpenSSH_5.8p1-hpn13v10, OpenSSL 1.0.0d 8 Feb 2011 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] In cvs log I found, that certificate support was introduced to sshd.c in revision 1.373 but the optstring argument of getopt function was not changed accordingly. -- L.H.

https://bugzilla.mindrot.org/show_bug.cgi?id=2346 Bug ID: 2346 Summary: sshd -T doesn't write all configuration options in valid format Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

...? ???? passphrase, &private, &comment, NULL))) { ??? ??? ?case 0: ??? ??? ??? ?break; ??? ??? ?case SSH_ERR_KEY_WRONG_PASSPHRASE: diff --git a/sshd.c b/sshd.c index 6f8f11a3bdac..42c19089a225 100644 --- a/sshd.c +++ b/sshd.c @@ -1789,7 +1789,7 @@ main(int ac, char **av) ??? ??? ?if (options.host_key_files[i] == NULL) ??? ??? ??? ?continue; ??? ??? ?if ((r = sshkey_load_private(options.host_key_files[i], "", -?? ??? ???? &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) +?? ??? ???? &key, NULL, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) ??? ??? ??? ?do_log2(ll, "...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

I have tried to update openssh-3.1p1 of our system that uses RH7.2 (Scyld). I is pretty much a standard Redhat 7.2 install with openssl-0.9.6b, zlib-1.1.4 etc. I have gotten openssh to work after some initial issues, but I still have not been able to get openssh/sshd to work with tcp-wrappers. I have in hosts.deny ALL: ALL: and in hosts.allow ALL: localhost, 127.0.0.1, 192.168.1. and still I

...el log_level_number(char *); diff -urN openssh-3.5p1-orig/servconf.c openssh-3.5p1/servconf.c --- openssh-3.5p1-orig/servconf.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/servconf.c 2002-12-18 10:20:33.000000000 -0500 @@ -64,6 +64,7 @@ options->listen_addrs = NULL; options->num_host_key_files = 0; options->pid_file = NULL; + options->log_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; @@ -302,6 +303,7 @@ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKe...