search for: hostkeys

...----- sshconnect2.c | 4 ++-- 5 files changed, 71 insertions(+), 26 deletions(-) diff --git a/auth.c b/auth.c index 7bc6f40..1ca07e1 100644 --- a/auth.c +++ b/auth.c @@ -379,7 +379,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, const struct hostkey_entry *found; hostkeys = init_hostkeys(); - load_hostkeys(hostkeys, host, sysfile); + load_hostkeys(hostkeys, host, NULL, sysfile); if (userfile != NULL) { user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); if (options.strict_modes && @@ -393,7 +393,7 @@ check_key_in_hostfiles(struct passwd *...

From: Maxime Rey <maximejeanrey at gmail.com> Hello, I've discovered an issue with sshd when it's configured to use the SSH agent alongside multiple host keys. Specifically, this problem happens during the hostkeys-prove-00 at openssh.com request, when the server attempts to demonstrate ownership of the host keys by calling the agent. The issue occurs because, while processing the hostkeys-prove-00 at openssh.com request, sshd does not specify the signature algorithm in its call to the agent. As a result, wh...

Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit. Really appreciate the UpdateHostkeys feature! One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys. Looks like the screen output is missing the CR's, and only LF's get presented. [root at be2 .ssh]# ssh be1 ls -l Warning: Permanently added 'be1,f...

This is an automated email from the git hooks/post-receive script. arrfab pushed a commit to branch main in repository centos/centos.org. The following commit(s) were added to refs/heads/main by this push: new 860d2c9 Adding new hostkey.com sponsor 860d2c9 is described below commit 860d2c965949164c393d15685d1c49c3d3b8d637 Author: Fabian Arrotin <arrfab at centos.org> AuthorDate: Fri

Hello, OpenSSH-wizards. In our company, we have looked into SSH-HostKey-signing in order to realize automated access without the need to accept the server's hostkey, manually. I got it to work with the HostCertificate-directive inside the sshd_config. Now, I was wondering whether it is possible to have multiple signatures, so I can, for example, sign the hostkey once with a

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA] basicConstraints=critical,CA:true...

https://bugzilla.mindrot.org/show_bug.cgi?id=3155 Bug ID: 3155 Summary: openssh support hostkey encrypt Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: security Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=1279 Summary: Address- and/or port-specific HostKeys support Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: mi+mindr...

...ent.sh @@ -82,6 +82,37 @@ for k in $SSH_CERTTYPES ; do fi done +# Run sshd with multiple keys handeled by agent + +cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy + +mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig +grep -vi 'globalknownhostsfile' $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy +echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy +echo "GlobalKnownHostsFile=none" >> $OBJ/ssh_proxy + +read -p "Doing the multiple keys (y/n)? " answer +for k in $SSH_KEYTYPES ; do + verbose "Addkey type $k" + echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_pro...

My apologies if this has been covered already. My search of the archives was unfruitful. OpenSSH seems to be lacking a certain capability present in ssh.com's client; namely, the ability to store remote hostkeys on a per-port basis. I have various machines that, due to iptables port-forwarding, appear to be running copies of (open)sshd on multiple ports. "Commercial" ssh stores hostkeys in files named "key_<port>_host.pub"; this is useful, because it allows for recording the key...

It appears somewhat inconsistent to me that parameter HostKey is configurable on the server side but fixed on the client side. On the client, always _PATH_HOST_KEY_FILE, _PATH_HOST_DSA_KEY_FILE, _PATH_HOST_RSA_KEY_FILE are used (in this order), whereas on the server, the paths can be specified by up to three HostKey options as arbitrary names in arbitrary sequence. Similarly, option

...ms with integrated HSM. The sshd host key is stored on the HSM. To have sshd using that key, we rely on the following chain: sshd -> OpenSSL -> OpenSSL Engine -> HSM Having PKCS#11 support in sshd, would reduce it to: sshd -> PKCS#11 Library -> HSM This patch extends sshd so that HostKeys can also be PKCS#11 URIs, as defined by the RFC 7512[1]. Those URIs are parsed using p11-kit[2], that is added as an optional dependency to OpenSSH. If that is a show-stopper, URIs could also be parsed directly in OpenSSH but that would involve lengthy parsing functions. One can then have a config...

Hello, I've found that when using the ssh agent and sshd together, there is an issue when using multiple host keys. Specifically, after the key exchange phase, when a client requests proof of ownership for the host keys via the "hostkeys-prove-00 at openssh.com" request, the server prepares the response without specifying the signature algoorithm in case of non-RSA keys. This leads to "SSH_ERR_INVALID_ARGUMENT" when verifying the signature in : openssh-portable/authfd.c line if ((r = sshkey_check_sigtype(sig, len,...

Another issue for which there might be some tricks that I don't know of: I have a set of ports on my local machine forwarded (via ssh LocalForward) to machines that I can't directly reach on the localhost. However, as I connect to those machines I get HostKey warnings since it looks for the HostKey of the 'localhost' and depending on the port, it is of course different. Is there

Hello, This hostkeys extension is great, reading[1]: """ OpenSSH supports a protocol extension allowing a server to inform a client of all its protocol v.2 host keys after user-authentication has completed. """ I wonder, why should user authentication be completed before this functionalit...

...over, passed a different list keyboard-interactive,hostbased debug3: preferred hostbased,password debug3: authmethod_lookup hostbased debug3: remaining preferred: password debug3: authmethod_is_enabled hostbased debug1: next auth method to try is hostbased debug1: userauth_hostbased: no more client hostkeys debug2: we did not send a packet, disable method debug1: no more auth methods to try Permission denied (keyboard-interactive,hostbased). ****************** ****sshd_config on server**** Port 1024 # for testing without annoying the users #Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress ::...

Hi, I am using ssh-keyscan with a list of hosts, such as: ssh-keyscan -t rsa -f hosts_for_keyscan Some of the hosts in the list have dsa, but no rsa keys. For such hosts, the command displays: no hostkey alg When this is the case for 2 hosts, this message appears twice AND SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are returned for the following hosts. Here is the part of the

...possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /usr/local/etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /usr/local/etc/ssh_host_rsa_key #HostKey /usr/local/etc/ssh_host_dsa_key #HostKey /usr/local/etc/ssh_host_ecdsa_key #HostKey /usr/local/etc/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral vers...

Hi, About a year and a half ago I brought up the topic of encrypted hostkeys and posted a patch (http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2), and while the general reaction seemed receptive to the idea, a few problems were pointed out with the implementation (UI issues, ssh-keysign breakage). I've finally had some spare time in which to get back...

...rtable OpenSSH Version: 7.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: lkinley at gmail.com When UpdateHostKeys=yes/ask, only hostname based entries are added to known_hosts file when learning new hostkeys. Shouldn't IP entries also be added? Consider the following scenario: User connects for the first time, specifying a HostKeyAlgorithms setting that is not first in the default list (rsa-sha2-256 in...