search for: key_fingerprint

Hi, I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with FIPS 140-2 OpenSSL. These are based on previously reported patches by Steve Marquess <marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>, for ver. OpenSSH 3.8. Note that these patches are NOT OFFICIAL, and MAY be used freely by anyone. Issues [partially] handled: SSL FIPS Self test. RC4,

...#endif + #include <openssl/sha.h> + #ifdef OPENSSL_FIPS + #include <openssl/fips.h> + #endif + + /* import */ extern char *client_version_string; extern char *server_version_string; *************** *** 591,597 **** key->type, pktype); goto done; } ! fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); debug2("input_userauth_pk_ok: fp %s", fp); xfree(fp); --- 604,611 ---- key->type, pktype); goto done; } ! fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, ! SSH_FP_HEX); debug2("...

...ad at Dunkel.de -------------- next part -------------- *** auth2-pubkey.c.orig Sun Feb 9 12:48:09 2003 --- auth2-pubkey.c Sun Feb 9 19:57:09 2003 *************** *** 183,188 **** --- 183,193 ---- debug("trying public key file %s", file); + /* log public key */ + + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + verbose("Attempt public key authentication for %s with %s key: %s", pw->pw_name, key_type(key), fp); + /* Fail quietly if file does not exist */ if (stat(file, &st) < 0) { /* Restore the privileged uid. */ *************** *** 244,249 *...

...out the host keys fingerprint in same format as the commercial ssh. This would make it so much easier to compare host keys etc. when you (have to) use both commercial ssh / openssh clients and servers. >From what I can see it wouldn't be too much work to add new fingerprint method to key.c:key_fingerprint ... Perhaps the fingerprint style could be configurable with ssh_config options ? -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169

Hi guys, and another feature request for sshd which I would classify as really useful. And I think this behaviour is currently not available (If yes, sorry, I must have missed it): > I believe that the sshd should log which RSA key was used to connect to > an account. When there are a number of keys in the authorized_keys file > it is often useful to know which one was used for each

...,15 @@ * otherwise continue searching. */ authenticated = 1; + if (options.log_fingerprint) { + Key *auth_key = key_new(KEY_RSA1); + auth_key->rsa->n = pk->n; + auth_key->rsa->e = pk->e; + log("Found matching %s key: %s", + key_type(auth_key), + key_fingerprint(auth_key, SSH_FP_MD5, SSH_FP_HEX)); + key_free(auth_key); + } break; } diff -ruN openssh-3.0.2p1.dist/auth2.c openssh-3.0.2p1/auth2.c --- openssh-3.0.2p1.dist/auth2.c Tue Nov 13 04:46:19 2001 +++ openssh-3.0.2p1/auth2.c Tue Dec 4 14:12:37 2001 @@ -690,8 +690,13 @@ found_key = 0; foun...

...n a FreeBSD 7 box (I know it's old; it's being replaced this month). I can't spot anything changed in OpenSSH commit logs or git blame of the current file. I ssh into the box from a system with OpenSSH6.6p1 and three keys loaded, RSA, ECDSA and ED25519. As expected, key_from_blob and key_fingerprint complain about the ED25519 key in the agent, because they can't handle it. Not a problem. However, in this scenario, "ssh-add -l" will only produce output to stdout if stdout is a tty. "ssh-add -L" reliably produces output to stdout. "ssh-add -l" reliably produ...

...{ + DIGEST_TYPE_SHA1, + DIGEST_TYPE_MD5 +}; + +enum digest_representation { + DIGEST_REPRESENTATION_HEX, + DIGEST_REPRESENTATION_BUBBLEBABBLE +}; + struct Key { int type; RSA *rsa; @@ -46,6 +57,7 @@ Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key *b); +char *key_fingerprint_ex(Key *k, enum digest_type dgst_type, enum digest_representation dgst_representation); char *key_fingerprint(Key *k); char *key_type(Key *k); int key_write(Key *key, FILE *f); --- ./openssh-2.5.1/key_original.c Sun Mar 4 00:48:41 2001 +++ ./openssh-2.5.1/key.c Sun Mar 4 01:07:21 2001 @@ -153,...

Hi, I don't see any way to view the details of a certificate once it is generated. Having such a capability would be very handy for debugging purposes to check what constraints, principals, and validity interval are associated with a given cert. -- Iain Morgan

...@@ -162,6 +247,29 @@ } } +#ifdef HAVE_LIBKEYUTIL + if (inkernel) { + u_char *blob; + u_int len; + + xfree(comment); + comment = xmalloc(strlen(filename) + strlen("ssh:") + 1); + sprintf(comment, "ssh:%s", filename); + + fprintf(stderr, "Adding key %s\n", key_fingerprint(private, SSH_FP_MD5, SSH_FP_HEX)); + if (!key_to_blob(private, &blob, &len)) + fatal("key_to_blob: %s\n", filename); + + if (add_key("user", comment, blob, len, KEY_SPEC_USER_SESSION_KEYRING) < 0) + fatal("Failed to add key: %s\n", filename); + + xfr...

...e dialog for this key. */ if (!auth_rsa_challenge_dialog(pk)) { /* Wrong response. */ @@ -249,10 +249,19 @@ * authentication to be rejected. * Break out of the loop if authentication was successful; * otherwise continue searching. */ authenticated = 1; + + if (options.log_key_fingerprint == 1) { + Key *k = key_new(KEY_RSA); + RSA *old_rsa = k->rsa; + k->rsa = pk; + snprintf(info,info_size," fp %s",key_fingerprint(k,SSH_FP_MD5,SSH_FP_HEX)); + k->rsa = old_rsa; + key_free(k); + } break; } /* Restore the privileged uid. */ restore_uid(); diff...

https://bugzilla.mindrot.org/show_bug.cgi?id=1765 Summary: Error message if key not first in authorized_keys file Product: Portable OpenSSH Version: 5.5p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

...tripping '\n'. */ + if ( strlen(cp) && ( cp[strlen(cp)-1] == '\n' ) ) + cp[strlen(cp)-1] = '\0'; + log("Authorized key '%s' in %s", cp, file); debug("matching key found: file %s, line %lu", file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp);

...00:28:56.000000000 +0100 +++ openssh-6.2p1-modified/auth2-pubkey.c 2013-06-09 20:07:15.039975210 +0200 @@ -554,7 +554,8 @@ } execl(options.authorized_keys_command, - options.authorized_keys_command, user_pw->pw_name, NULL); + options.authorized_keys_command, user_pw->pw_name, + key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), NULL); error("AuthorizedKeysCommand %s exec failed: %s", options.authorized_keys_command, strerror(errno)); Does this sound interesting? Thanks, Jason

Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha

...r msg1[1024], msg2[1024]; - - if (show_other_keys(host, host_key)) - snprintf(msg1, sizeof(msg1), - "\nbut keys of different type are already" - " known for this host."); - else - snprintf(msg1, sizeof(msg1), "."); - /* The default */ - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - msg2[0] = '\0'; - if (options.verify_host_key_dns) { - if (matching_host_key_dns) - snprintf(msg2, sizeof(msg2), - "Matching host key fingerprint" - " found in DNS.\n"); - else - snprintf(msg2, sizeof...

Hi! I'm pretty sure that this isn't currently supported, so, I'll give it a shot and rather be rtfm-flamed instead of not trying :) Is there any way of logging what line of authorized_keys (and what file) that was used when a user logs in? It would be very nice to have to improve auditing logins of accounts with multiple publickeys. And, if there isn't - Would it be of

...ehaviour working as well as it does is based on only one set of keys being loaded and the most portable keys being loaded first. The current behaviour can be made agnostic of tty/non-tty by inserting a `setlinebuf(stdout);` call into `list_identities()`. A more reliable approach might be to give `key_fingerprint()` a flag to avoid calling fatal and to return an error some other way? -- You are receiving this mail because: You are watching the assignee of the bug.

..._key) + strlen(x->host) + 3) + break; + strcat(msg_same_key, "\t"); + strcat(msg_same_key, x->host); + strcat(msg_same_key, "\n"); + } + free_hostlist(keyhosts); + } else { + msg_same_key[0] = '\0'; + } + /* The default */ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); msg2[0] = '\0'; @@ -740,10 +763,11 @@ snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" + "%s" "%s key fingerprint is %s.\n%s...

How reasonable, acceptable and difficult would it be to "enhance" openssh so authorizations using kerberos (specifically kerberos tickets) consulted the authorized_keys file? And to be a bit more precise... consulted authorized_keys so it could utilize any "options" (eg. from=, command=, environment=, etc) that may be present? I'm willing to make custom changes, but