search for: key_sign

...ivate_key(kex->hostkey_type); - if (server_host_private == NULL) - fatal("Missing private key for hostkey type %d", - kex->hostkey_type); /* key, cert */ if ((dh_client_pub = BN_new()) == NULL) @@ -144,9 +141,8 @@ kexdh_server(Kex *kex) } /* sign H */ - if (PRIVSEP(key_sign(server_host_private, &signature, &slen, hash, - hashlen)) < 0) - fatal("kexdh_server: key_sign failed"); + kex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/kexecdhs.c b...

The problem I am seeing was introduced between 6.4p1 and 6.5p1 (and still exists in 6.6p1). With HostbasedAuthentication/EnableSSHKeysign turned on, I am seeing one of two sets of messages: no matching hostkey found ssh_keysign: no reply key_sign failed and not a valid request ssh_keysign: no reply key_sign failed Then in either case two password prompts: bowman at HOST.math.utah.edu's password: Permission denied, please try again. bowman at HOST.math.utah.edu's password: I've used strace and dtrace to watch what files...

...Status: NEW Severity: major Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: openssh at sigint.cs.purdue.edu CC: openssh at sigint.cs.purdue.edu The data received from ssh is freed before key_sign is run on it, which results in a bogus signature, at least under Linux. (Solaris and IRIX don't seem to mind.) --- ssh-keysign.c~ Wed Jun 26 17:01:42 2002 +++ ssh-keysign.c Wed Jun 26 17:01:49 2002 @@ -192,7 +192,6 @@ data = buffer_get_string(&b, &dlen); if...

...role as provider of defaults. $ ssh -V OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f $ cat .ssh/config Host localhost HostbasedAuthentication yes PreferredAuthentications hostbased $ ssh localhost Hostbased authentication not enabled in /etc/ssh/ssh_config ssh_keysign: no reply key_sign failed Permission denied (publickey,password,keyboard-interactive,hostbased). The situation is rectified by enabling Hostbased authentication in /etc/ssh/ssh_config (as the error message suggests), but this must be done by the systems administrator. Why is the setting in .ssh/config not sufficien...

Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure

...gp, u_int *lenp, - u_char *data, u_int datalen) + u_char *data, u_int datalen, AuthenticationConnection *auth) { Key *prv; int ret; @@ -1118,7 +1118,7 @@ identity_sign(Identity *id, u_char **sigp, u_int *lenp if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) return (key_sign(id->key, sigp, lenp, data, datalen)); /* load the private key from the file */ - if ((prv = load_identity_file(id->filename)) == NULL) + if ((prv = load_identity_file(id->filename, auth)) == NULL) return (-1); ret = key_sign(prv, sigp, lenp, data, datalen); key_free(prv); @@ -1168...

https://bugzilla.mindrot.org/show_bug.cgi?id=1506 Summary: rationalize agent behavior on smartcard removal/reattachment Product: Portable OpenSSH Version: 5.1p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Smartcard AssignedTo:

...enssh (3.4,3.5 and 3.6.1) all seem to suffer from a broken ssh-keysign binary. This causes HostbasedAuthentication to fail. We have installed 3.6.1p1 on a Solaris 8 machine using openssl-0.9.6i. This fails thusly ssh server <......some \digits removed - a key perhaps?> ssh_keysign: no reply key_sign failed a at server's password For version 3.4p1 we patched ssh-keysign.c and it worked as expected. When we use the same ssh-keysign with the 3.6.1 distribution it also works as expected. Have other people noticed this? Is it so on other OSes? Is there a patch anyway? openssh was configured:...

...h-agent.c 2005-11-04 22:15:00.000000000 -0600 +++ openssh-4.3p2-kylie/ssh-agent.c 2006-05-04 15:05:48.000000000 -0500 @@ -305,8 +305,8 @@ process_sign_request2(SocketEntry *e) Identity *id = lookup_identity(key, 2); if (id != NULL && (!id->confirm || confirm_key(id) == 0)) ok = key_sign(id->key, &signature, &slen, data, dlen); + key_free(key); } - key_free(key); buffer_init(&msg); if (ok == 0) { buffer_put_char(&msg, SSH2_AGENT_SIGN_RESPONSE);

...if (key != NULL) { Identity *id = lookup_identity(key, 2); - if (id != NULL && ((!confirm && !id->confirm) || confirm_key(id) == 0)) + if (id != NULL && (!id->confirm || confirm_key(id) == 0)) ok = key_sign(id->key, &signature, &slen, data, dlen); } key_free(key); @@ -1029,7 +1026,7 @@ init_rng(); seed_rng(); - while ((ch = getopt(ac, av, "Ccdksa:t:")) != -1) { + while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {...

...; (http://bugzilla.mindrot.org/attachment.cgi?id=1612) Allow get_local_name() to handle a socket or pipe. If hostbased authentication is enabled and a proxy command is used to connect to the server, the following warning messages typically appear: cannot get sockname for fd ssh_keysign: no reply key_sign failed This is due to the assumption that the file descriptor passed to get_local_name() corresponds to a socket, which is not the case when a proxy command is used. The attached patch modifies get_local_name() sot that it falls back to using gethostname() if get_socket_address() fails. As a res...

...erver.DOMAIN.COM > Permission denied (hostbased). > > instead, as my user, fails differently for some reason, > > ssh server.DOMAIN.COM > ... > no matching hostkey found for key ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > ssh_keysign: no reply > key_sign failed > Permission denied (hostbased). > So, that indicates that you have a problem with your client setup. Since you are trying to use ssh from /usr/local/bin, I take it that it is a local build. As such, some of the files may not be properly located. You can check the location of the...

...if (id->isprivate || (id->key->flags & KEY_FLAG_EXT)) + if(id->key->flags & KEY_FLAG_KERN) + fprintf(stderr, "Going to use kernel key\n"); + if (id->isprivate || (id->key->flags & KEY_FLAG_EXT) || (id->key->flags & KEY_FLAG_KERN)) return (key_sign(id->key, sigp, lenp, data, datalen)); /* load the private key from the file */ if ((prv = load_identity_file(id->filename)) == NULL)