search for: joachimschipper

https://bugzilla.mindrot.org/show_bug.cgi?id=1565 Summary: ssh-keyscan doesn't like comment-lines Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: Linux Status: NEW Keywords: low-hanging-fruit Severity: minor Priority: P2 Component: Miscellaneous AssignedTo:

...openssh.devel/1 6422 OS/Version: OpenBSD Status: NEW Keywords: needs-release-note, patch Severity: enhancement Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: joachim at joachimschipper.nl Created an attachment (id=1780) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1780) [patch] Automatically add keys to ssh-agent(1) [Continuing a mailing list thread; see http://article.gmane.org/gmane.network.openssh.devel/16422.] My keys are secured with a passphrase. That's g...

This patch makes keys work again. This bug was introduced in r1.78: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.77;r2=1.78. Joachim Index: authfile.c =================================================================== RCS file: /usr/obsd-repos/src/usr.bin/ssh/authfile.c,v retrieving revision 1.78 diff -u -N -p authfile.c --- authfile.c 11 Jan 2010 04:46:45 -0000

ssh-add on OpenBSD current (with malloc -S enabled) crashes ("chunk is already free") when loading my password-protected SSHv1 key (used only for testing). "ssh-add ~/.ssh/identity" also fails to format the prompt properly ("Enter passphrase for :"). The issue is as follows: Starting at ssh-add.c:158 in add_file(ac, filename = "~/.ssh/identity"), we call

ssh-keyscan may, under very specific circumstances, be vulnerable to something akin to a buffer overflow. It's probably impossible to exploit, though, if only because ssh-keyscan is not usually run on very large untrusted input files. ssh-keyscan uses an fgets() wrapper that uses an unsigned int to keep track of the length of a buffer holding the current line. On machines with sufficient

My keys are secured with a passphrase. That's good for security, but having to type the passphrase either at every login or at every invocation of ssh(1) is annoying. I know I could invoke ssh-add(1) just before invoking ssh(1), if I keep track of whether I invoked it already, or write some hacky scripts; but the rest of OpenSSH is wonderfully usable without any hacks. Hence, this patch.