search for: key_new

...options, file, linenum)) + if (!auth_parse_options(pw, optionsp, file, linenum)) continue; /* Perform the challenge-response dialog for this key. */ @@ -251,6 +251,15 @@ * otherwise continue searching. */ authenticated = 1; + if (options.log_fingerprint) { + Key *auth_key = key_new(KEY_RSA1); + auth_key->rsa->n = pk->n; + auth_key->rsa->e = pk->e; + log("Found matching %s key: %s", + key_type(auth_key), + key_fingerprint(auth_key, SSH_FP_MD5, SSH_FP_HEX)); + key_free(auth_key); + } break; } diff -ruN openssh-3.0.2p1.dist/auth2...

http://bugzilla.mindrot.org/show_bug.cgi?id=864 Summary: sshd segfaults on connect on SunOS Product: Portable OpenSSH Version: 3.8.1p1 Platform: Sparc OS/Version: SunOS Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: jsr at

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet

...o(Key **k, int *private) +{ + FILE *fp; + RSA *rsa; +#ifdef notyet + DSA *dsa; +#endif + + if ((fp = fopen(identity_file, "r")) == NULL) + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); + if ((rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL)) != NULL) { + *k = key_new(KEY_UNSPEC); + (*k)->type = KEY_RSA; + (*k)->rsa = rsa; + fclose(fp); + return; + } +#if notyet /* OpenSSH 0.9.8 lacks this function */ + rewind(fp); + if ((dsa = PEM_read_DSA_PUBKEY(fp, NULL, NULL, NULL)) != NULL) { + *k = key_new(KEY_UNSPEC); + (*k)->type = KEY_DSA; + (*k)->dsa...

...Willkinson's GSS-API patches. Files modified: - key.h - added KEY_NAME key type - added KEY_NAME_PAT key type - added name, name_len and name_type fields to the Key struct - added prototype for key_match() - key.c - added initialization/finalization of new Key fields to key_new()/key_free() - added named/pattern key type support to a variety of functions, including key_read() and key_write(), among others - added key_match() implementation - auth-options.h - added void auth_set_key_env(Key *) prototype - auth-options.c - added auth_set_key_env()...

...- added KEY_NAME key type - added KEY_NAME_PAT key type - added name, name_len and name_type fields to the Key struct (I realize that the name_len field is useless, I may remove it) - added prototype for key_match() - key.c - added initialization/finalization of new Key fields to key_new()/key_free() - added named/pattern key type support to a variety of functions, including key_read() and key_write(), among others - added key_match() implementation - auth-options.h - added void auth_set_key_env(Key *) prototype - auth-options.c - added auth_set_key_env()...

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

...- if (!auth_parse_options(pw, options, file, linenum)) + if (!auth_parse_options(pw, optionsp, file, linenum)) continue; /* Perform the challenge-response dialog for this key. */ --- auth2.c.orig Mon Nov 19 16:54:10 2001 +++ auth2.c Mon Nov 19 16:55:18 2001 @@ -691,7 +691,7 @@ found = key_new(key->type); while (fgets(line, sizeof(line), f)) { - char *cp, *options = NULL; + char *cp, *optionsp = NULL; linenum++; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -703,7 +703,7 @@ /* no key? che...

...sh-add.c 2000/11/17 03:47:21 1.28 +++ ssh-add.c 2001/01/07 21:52:10 @@ -54,6 +54,8 @@ char *__progname; #endif +static char *last_passphrase = NULL; + void delete_file(AuthenticationConnection *ac, const char *filename) { @@ -172,6 +174,10 @@ /* At first, try empty passphrase */ private = key_new(type); success = load_private_key(filename, "", private, &comment); + if (!success && last_passphrase) { + /* Have passphrase from last key loaded */ + success = load_private_key(filename, last_passphrase, private, &comment); + } if (!success) { printf("Need...

...; restore_uid(); > return 0; > } > > if (options.strict_modes && > secure_filename(f, file, pw, line, sizeof(line)) != 0) { > fclose(f); > log("Authentication refused: %s", line); > restore_uid(); > return 0; > } > > key = key_new(KEY_RSA); > > /* > * Get the public key from the file. If ok, perform a > * challenge-response dialog to verify that the user has > * the right IC card. > */ > if( fread( n_e, 131, 1, f ) < 1 ) { > restore_uid(); > packet_send_debug("Read file %.90...

...t main (int argc, char *argv[]) { Key *k; struct stat st; char *filename="/home/sun1/amb/.ssh/id_dsa"; if (stat(filename, &st) != 0) { debug("key does not exist: %s", filename); return 0; } k = key_new(KEY_DSA); if (!load_private_key(filename, "", k, NULL)) { int success = 0; char *passphrase; char prompt[300]; snprintf(prompt, sizeof prompt, "Enter passphrase for DSA key '%.100s':...

...&cred, &len) >= 0) { + int ret; + + snprintf(inform_cmdline, sizeof inform_cmdline, "%s %d", + inform_cmd, cred.pid); + ret = system(inform_cmdline); + if (ret != 0) { + close_socket(e); + return; + } + } + } +#endif + + + buffer_init(&msg); key = key_new(KEY_RSA1); if ((challenge = BN_new()) == NULL) @@ -314,6 +339,26 @@ Buffer msg; Key *key; +#if defined(SO_PEERCRED) + if (AUTH_CONNECTION == e->type) { + struct ucred cred; + socklen_t len = sizeof(cred); + char inform_cmdline[MAXPATHLEN]; + + if (run_inform && getsockopt(e-&...

...01 19:27:15 -0000 1.17 +++ key.h 30 Jan 2002 15:23:11 -0000 @@ -28,6 +28,7 @@ #include <openssl/rsa.h> #include <openssl/dsa.h> +#include <openssl/x509.h> typedef struct Key Key; enum types { @@ -53,6 +54,7 @@ int flags; RSA *rsa; DSA *dsa; + X509 *x509; }; Key *key_new(int); Index: ssh-rsa.c =================================================================== RCS file: /home/markus/cvs/ssh/ssh-rsa.c,v retrieving revision 1.15 diff -u -r1.15 ssh-rsa.c --- ssh-rsa.c 25 Jan 2002 21:42:11 -0000 1.15 +++ ssh-rsa.c 31 Jan 2002 09:23:53 -0000 @@ -91,7 +91,11 @@ } /*...

...ist *hostlist; + char *thishost = NULL; + u_int thishostlen; + + debug3("find_hosts_by_key: filename %s", filename); + + /* Open the file containing the list of known hosts. */ + f = fopen(filename, "r"); + if (!f) + return initial_hosts; + + hostlist = initial_hosts; + found = key_new(search_key->type); + + /* Go through the file. */ + while (fgets(line, sizeof(line), f)) { + cp = line; + linenum++; + + /* Skip any leading whitespace, comments and empty lines. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '#' || *cp == ...

..._PUBKEY(fp, NULL, NULL, NULL); + } else { + pk = X509_get_pubkey(x); + } + if (pk == NULL) { + debug("PEM_read_PUBKEY() file %s failed", filename); + debug3("%s", ERR_error_string(ERR_get_error(), NULL)); + if (x != NULL) + X509_free(x); + return NULL; + } else { + pub = key_new(KEY_UNSPEC); + pub->rsa = RSAPublicKey_dup(EVP_PKEY_get1_RSA(pk)); + pub->type = KEY_RSA; + name = "rsa w/o comment"; +#ifdef DEBUG_PK + RSA_print_fp(stderr, prv->rsa, 8); +#endif + } + + fclose(fp); + + if (pk != NULL) + EVP_PKEY_free(pk); + if (x != NULL) + X509_free(x);...

...58,7 @@ u_int len; u_char *blob; struct stat st; + int private = 0; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); @@ -168,27 +266,39 @@ perror(identity_file); exit(1); } - if ((k = key_load_public(identity_file, NULL)) == NULL) { + k = key_new(KEY_UNSPEC); + if (key_try_load_public(k, identity_file, NULL) != 1) { if ((k = load_identity(identity_file)) == NULL) { fprintf(stderr, "load failed\n"); exit(1); } + private = 1; } if (k->type == KEY_RSA1) { fprintf(stderr, "version 1 keys are not su...

...h_rsa_challenge_dialog(pk)) { /* Wrong response. */ @@ -249,10 +249,19 @@ * authentication to be rejected. * Break out of the loop if authentication was successful; * otherwise continue searching. */ authenticated = 1; + + if (options.log_key_fingerprint == 1) { + Key *k = key_new(KEY_RSA); + RSA *old_rsa = k->rsa; + k->rsa = pk; + snprintf(info,info_size," fp %s",key_fingerprint(k,SSH_FP_MD5,SSH_FP_HEX)); + k->rsa = old_rsa; + key_free(k); + } break; } /* Restore the privileged uid. */ restore_uid(); diff -u5 openssh-3.0.2p1.orig/aut...

...2 20:46:25 2000 +++ openssh-2.2.0p1/sshconnect1.c Sat Sep 9 01:13:35 2000 @@ -191,6 +191,8 @@ char *passphrase, *comment; int type, i; int plen, clen; + int interactive = isatty(STDIN_FILENO); + char *askpass = NULL; /* Try to load identification for the authentication key. */ public = key_new(KEY_RSA); @@ -244,7 +246,15 @@ snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", comment); if (!options.batch_mode) - passphrase = read_passphrase(buf, 0); + if (!interactive && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_...

...> if (pk == NULL) { > ERR_print_errors_fp(stderr); > debug("ENGINE_load_private_key failed"); > (void)ERR_get_error(); > goto finish; > } else if (pk->type == EVP_PKEY_RSA) { > prv = key_new(KEY_UNSPEC); > prv->rsa = EVP_PKEY_get1_RSA(pk); > prv->type = KEY_RSA; > name = "rsa w/o comment"; > #ifdef DEBUG_PK > RSA_print_fp(stderr, prv->rsa, 8); > #endif > if (RSA_blinding_on(prv...

Hi, 1. I think you should apply the attached patch to openssh-2.9p1, otherwise ssh-keyscan on linux boxes with glibc-2.1 will experience enormous timeout delays. 2. Is there a program like ssh-keyscan for the Version2 (dsa and rsa) keys?? regards Peter Breitenlohner <peb at mppmu.mpg.de> -------------- next part -------------- diff -ur openssh-2.9p1.orig/ssh-keyscan.c