search for: key_rsa_cert

...08..1d2906f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) * newer (SHA2) algorithms. */ if (ssh == NULL || ssh->kex->server_sig_algs == NULL || - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { /* Filter base key signature alg against our configuration */ return match_list(sshkey_ssh_name(key), options.pubkey_key...

...080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) > > * newer (SHA2) algorithms. > > */ > > if (ssh == NULL || ssh->kex->server_sig_algs == NULL || > > - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { > > + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || > > + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { > > /* Filter base key signature alg against our configuration */ > >...

...e a bug: > > diff --git a/sshkey.c b/sshkey.c > index f7c09fb..e602987 100644 > --- a/sshkey.c > +++ b/sshkey.c > @@ -109,9 +109,9 @@ static const struct keytype keytypes[] = { > { "ssh-rsa-cert-v01 at openssh.com", "RSA-CERT", NULL, > KEY_RSA_CERT, 0, 1, 0 }, > { "rsa-sha2-256-cert-v01 at openssh.com", "RSA-CERT", > - "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, > + "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, > { "rsa-sha2-512-cert-v01 at openssh.com&qu...

Hi, One of our users who is running an OS (I think it's the latest beta macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is unable to use our user SSH RSA certificates to authenticate to our servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017"). We see this error on the client side: debug1: kex_input_ext_info:

Functionality request for supporting Digital Signatures for RSA and DSS Public Key Algorithms in alignment with NIST SP800-131A. I assume this has been asked before, but I could not find in the archives. Support of "ssh-rsa-sha256" and "ssh-dss-sha256" public key algorithms for OpenSSH? I know Suite B Algorithms and x509 SSH Extension Algorithms are supported, but not a

https://bugzilla.mindrot.org/show_bug.cgi?id=1765 Summary: Error message if key not first in authorized_keys file Product: Portable OpenSSH Version: 5.5p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

...ate parts. I don't agree that it should just have BN members that are not set to a real value. So I removed that code and the checks. I'm not even sure why this was done. But sshkey_add_private() ends up as a rather useless function now. - In sshkey_private_deserialize() there was a KEY_RSA_CERT case. I'm not sure what it's about and I guess the test suite also doesn't check it. But it seems that it only has the private key in that case and OpenSSL now seems to insist that an RSA needs to have the public key information too. PS: I didn't subscribe to the list. K...

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

...:40.978410299 +0200 @@ -324,6 +324,48 @@ sshkey_is_cert(const struct sshkey *k) return sshkey_type_is_cert(k->type); } +/* TODO: Please review carefully */ +int +sshkey_is_private(const struct sshkey *k) +{ + switch (k->type) { +#ifdef WITH_OPENSSL + case KEY_RSA1: + case KEY_RSA: + case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + if (k->rsa && k->rsa->d && k->rsa->q && k->rsa->p && + k->rsa->iqmp && + !BN_is_zero(k->rsa->d) && + !BN_is_zero(k->rsa->q) && + !BN_is_zero(k->rsa->p) &&amp...