search for: key_dsa

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

...9 != NULL) { + debug("PEM_read_X509"); +#ifdef DEBUG_X509 + X509_print_fp(stdout, prv->x509); + { + EVP_PKEY *pkey = X509_get_pubkey(prv->x509); + if (pkey->type == EVP_PKEY_RSA) { + debug("PEM_read_X509 -> RSA"); + } else if (pkey->type == EVP_PKEY_DSA) { + debug("PEM_read_X509 -> DSA"); + } + } +#endif + } + } fclose(fp); if (pk != NULL) EVP_PKEY_free(pk); Index: key.c =================================================================== RCS file: /home/markus/cvs/ssh/key.c,v retrieving revision 1.39 diff -u -r1.39 ke...

...num(buffer, key->e); + buffer_get_bignum(buffer, key->n); + buffer_get_bignum(buffer, key->d); + buffer_get_bignum(buffer, key->iqmp); + buffer_get_bignum(buffer, key->p); + buffer_get_bignum(buffer, key->q); + rsa_generate_additional_parameters(key); +} + +static void +buffer_put_key_dsa(Buffer *buffer, const DSA *key) +{ + buffer_put_bignum(buffer, key->p); + buffer_put_bignum(buffer, key->q); + buffer_put_bignum(buffer, key->g); + buffer_put_bignum(buffer, key->pub_key); + buffer_put_bignum(buffer, key->priv_key); +} + +static void +buffer_get_key_dsa(Buffer *buffe...

...rwarding when this key is used for authentication. Any port forward requests by the client will return an error. Index: 3_0_2p1.1/key.h --- 3_0_2p1.1/key.h Wed, 21 Nov 2001 10:38:46 -0500 +++ 3_0_2p1_w_named_keys.1(w)/key.h Thu, 24 Jan 2002 10:52:24 -0500 @@ -34,7 +34,9 @@ KEY_RSA1, KEY_RSA, KEY_DSA, - KEY_UNSPEC + KEY_UNSPEC, + KEY_NAME, + KEY_NAME_PAT }; enum fp_type { SSH_FP_SHA1, @@ -53,12 +55,15 @@ int flags; RSA *rsa; DSA *dsa; + u_char *name; + char *name_type; }; Key *key_new(int); Key *key_new_private(int); void key_free(Key *); int key_equal(Key *, Key *); +int k...

...ard requests by the client will return an error. Index: 2_9_p2.1/key.h --- 2_9_p2.1/key.h Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/j/7_key.h 1.1 644) +++ 2_9_p2_w_named_keys.2/key.h Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/j/7_key.h 1.1.1.1 644) @@ -34,7 +34,9 @@ KEY_RSA1, KEY_RSA, KEY_DSA, - KEY_UNSPEC + KEY_UNSPEC, + KEY_NAME, + KEY_NAME_PAT }; enum fp_type { SSH_FP_SHA1, @@ -48,12 +50,16 @@ int type; RSA *rsa; DSA *dsa; + u_char *name; + u_int name_len; + char *name_type; }; Key *key_new(int type); Key *key_new_private(int type); void key_free(Key *k); int key_equ...

...*lenp) +{ + Buffer b; + int len, len1; + char *pb; + + if (key == NULL) { + error("do_convert_private_ssh2_to_blob: key == NULL"); + return 0; + } + buffer_init(&b); + buffer_put_int(&b, SSH_COM_PRIVATE_KEY_MAGIC); + buffer_put_int(&b, 0); + + switch (key->type) { + case KEY_DSA: + buffer_put_cstring(&b, "dl-modp{sign{dsa-nist-sha1},dh{plain}}"); + break; + case KEY_RSA: + buffer_put_cstring(&b, "if-modn{sign{rsa-pkcs1-md5}}"); + break; + default: + error("do_convert_private_ssh2_to_blob: unsupported key type %d", +...

Hi, Why is there still a limit on the length of a DSA key generated by ssh-keygen? I mean that ssh-keygen only expects 1024 as key length, or fails. Here is the code excerpt that enforces the limitation: if (type == KEY_DSA && *bitsp != 1024) fatal("DSA keys must be 1024 bits"); Commenting these two lines allows the generation of, say, 2048 bit DSA keys that work just fine with sshd. The only reason that I could previously find is that 1024 is imposed by FIPS 186-2, but the current FIPS 186-3 a...

...expected->no_parse_keytype == KEY_RSA1)) { expected_status = HKF_STATUS_INVALID; expected_keytype = KEY_UNSPEC; parse_key = 0; } #endif +#ifndef WITH_OPENSSL + if (expected->l.keytype == KEY_RSA || + expected->no_parse_keytype == KEY_RSA || + expected->l.keytype == KEY_DSA || + expected->no_parse_keytype == KEY_DSA) { + expected_status = HKF_STATUS_INVALID; + expected_keytype = KEY_UNSPEC; + parse_key = 0; + } +#endif /* WITH_OPENSSL */ #ifndef OPENSSL_HAS_ECC if (expected->l.keytype == KEY_ECDSA || expected->no_parse_keytype == KEY_ECDSA) {...

...tch that adds the possibility of displaying key fingerprints in the bubblebabble format used by ssh.com ssh implementations. I hope it makes its way into the source. --- ./openssh-2.5.1/key_original.h Sun Mar 4 00:47:55 2001 +++ ./openssh-2.5.1/key.h Sun Mar 4 00:57:57 2001 @@ -36,6 +36,17 @@ KEY_DSA, KEY_UNSPEC }; + +enum digest_type { + DIGEST_TYPE_SHA1, + DIGEST_TYPE_MD5 +}; + +enum digest_representation { + DIGEST_REPRESENTATION_HEX, + DIGEST_REPRESENTATION_BUBBLEBABBLE +}; + struct Key { int type; RSA *rsa; @@ -46,6 +57,7 @@ Key *key_new_private(int type); void key_free(Key *k);...

..._to_pem(Key *k) } static void +do_convert_to_subjectinfo(Key *k) +{ + switch (key_type_plain(k->type)) { + case KEY_RSA: + if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) + fatal("PEM_write_RSAPublicKey failed"); + break; +#if notyet /* OpenSSH 0.9.8 lacks this function */ + case KEY_DSA: + if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) + fatal("PEM_write_DSAPublicKey failed"); + break; +#endif + /* XXX ECDSA? */ + default: + fatal("%s: unsupported key type %s", __func__, key_type(k)); + } + exit(0); +} + +static void do_convert_to(struct passwd *pw) { K...

On Wed, Feb 15, 2017 at 9:50 PM, Kelly Dunlop <kdunlop at guralp.com> wrote: > > > Hi, > > I am running openssh7.3p1 on an embedded Linux system and discovered this problem. > > If I run: > > ssh-keygen -t rsa1 -f testfile > > it appears to generate the key and I get the output: > > Generating public/private rsa1 key pair. >

Looking at ssh-keygen.c from openssh-6.2p2.tar.gz lines 186-187: if (type == KEY_DSA && *bitsp != 1024) fatal("DSA keys must be 1024 bits"); It appears to me that ssh-keygen will only generate 1024 bit DSA keys. Is that still current? FIPS 186-3 (2009-06) section 4.2 and FIPS 186-4 [1] (2013-07) section 4.2 state: 4.2 Selection of Parameter...

...ot;ssh-ed25519-cert-v01 at openssh.com", "ED25519-CERT", KEY_ED25519_CERT, 0, 1 }, #ifdef WITH_OPENSSL +# ifdef WITH_SSH1 { NULL, "RSA1", KEY_RSA1, 0, 0 }, +# endif { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, # ifdef OPENSSL_HAS_ECC -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

...test program, simultaneously. While running I checked that the arguments to load_private_key were identical in ssh and my test program for both times they are called. I continued checking like this for every function call inside load_private_key. The first difference I noticed was in load_private_key_dsa. After it calls: in = BIO_new(BIO_s_file()); The "in" stucture in my test program and ssh are identical except for in->ex_data->dummy which is 0 in ssh and 1886999597 in my program!?! I don't know how that happens, since that function takes no arguments. I'm guessing some...

...it ?authenticate user and start session ?in do_ssh2_kex ?compat_cipher_proposal ?compat_cipher_proposal ?in list_hostkey_types in buffer_init in buffer_len ?in key_ssh_name ?in KEY_RSA in buffer_append in buffer_append_space in buffer_len in buffer_append in buffer_append_space ?in key_ssh_name ?in KEY_DSA in buffer_append in buffer_append_space in buffer_append in buffer_append_space in buffer_ptr in buffer_free list_hostkey_types: ssh-rsa,ssh-dss ?in kex_setup in buffer_init in buffer_init ?before kex_send_kexinit in buffer_len kex_send_kexinit: kex proposal too short ?len=0 in buffer_ptr packet_st...

...it authenticate user and start session in do_ssh2_kex compat_cipher_proposal compat_cipher_proposal in list_hostkey_types in buffer_init in buffer_len in key_ssh_name in KEY_RSA in buffer_append in buffer_append_space in buffer_len in buffer_append in buffer_append_space in key_ssh_name in KEY_DSA in buffer_append in buffer_append_space in buffer_append in buffer_append_space in buffer_ptr in buffer_free list_hostkey_types: ssh-rsa,ssh-dss in kex_setup in buffer_init in buffer_init before kex_send_kexinit in buffer_len kex_send_kexinit: kex proposal too short len=0 in buffer_ptr packet_st...

Hi, OpenSSH 6.9 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is

...Thu Nov 27 16:30:46 2003 @@ -634,11 +634,13 @@ PRIV_START; sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, - _PATH_HOST_KEY_FILE, "", NULL); + _PATH_HOST_KEY_FILE, "", NULL, options.group_private_key); sensitive_data.keys[1] = key_load_private_type(KEY_DSA, - _PATH_HOST_DSA_KEY_FILE, "", NULL); + _PATH_HOST_DSA_KEY_FILE, "", NULL, + options.group_private_key); sensitive_data.keys[2] = key_load_private_type(KEY_RSA, - _PATH_HOST_RSA_KEY_FILE, "", NULL); + _PATH_HOST_RSA_KEY_FILE, "",...

...types for `-t'"); + return (NULL); + } + tname = argv[argno]; + } + tname = strtok(tname, ","); + while (tname) { + int type = key_type_from_name(tname); + switch (type) { + case KEY_RSA1: + get_keytypes |= KT_RSA1; + break; + case KEY_DSA: + get_keytypes |= KT_DSA; + break; + case KEY_RSA: + get_keytypes |= KT_RSA; + break; + case KEY_UNSPEC: + fatal("unknown key type %s\n", + tname); + } + tname = strtok(NULL, ","); + } + goto double_break; + case '4&...

...&& k->rsa->q && k->rsa->p && + k->rsa->iqmp && + !BN_is_zero(k->rsa->d) && + !BN_is_zero(k->rsa->q) && + !BN_is_zero(k->rsa->p) && + !BN_is_zero(k->rsa->iqmp)) + return 1; + break; + case KEY_DSA: + case KEY_DSA_CERT_V00: + case KEY_DSA_CERT: + if (k->dsa && k->dsa->priv_key) + return 1; + break; + case KEY_ECDSA: + case KEY_ECDSA_CERT: + if (k->ecdsa && EC_KEY_get0_private_key(k->ecdsa)) + return 1; + break; +#endif /* WITH_OPENSSL */ + case KEY_ED255...