search for: key_unspec

...sh-keygen.c b/ssh-keygen.c index ea3c0e63888..215693eaca6 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -275,7 +275,8 @@ load_identity(char *filename) struct sshkey *prv; int r; - if ((r = sshkey_load_private(filename, "", &prv, NULL)) == 0) + if ((r = sshkey_load_private_type(KEY_UNSPEC, filename, "", + &prv, NULL)) == 0) return prv; if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) fatal("Load key \"%s\": %s", filename, ssh_err(r)); @@ -283,7 +284,7 @@ load_identity(char *filename) pass = xstrdup(identity_passphrase); else pass = read_pa...

http://bugzilla.mindrot.org/show_bug.cgi?id=526 Summary: potential ssh-keysign segfault if pktype == KEY_UNSPEC Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cjwats...

....c,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- authfile.c 2001/04/18 23:44:51 1.32 +++ authfile.c 2001/05/16 20:51:57 1.33 @@ -555,7 +555,8 @@ lseek(fd, (off_t) 0, SEEK_SET); /* rewind */ if (pub == NULL) { /* closes fd */ - return key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); + return key_load_private_pem(fd, KEY_UNSPEC, passphrase, + commentp); } else { /* it's a SSH v1 key if the public key part is readable */ key_free(pub);

...en this key is used for authentication. Any port forward requests by the client will return an error. Index: 3_0_2p1.1/key.h --- 3_0_2p1.1/key.h Wed, 21 Nov 2001 10:38:46 -0500 +++ 3_0_2p1_w_named_keys.1(w)/key.h Thu, 24 Jan 2002 10:52:24 -0500 @@ -34,7 +34,9 @@ KEY_RSA1, KEY_RSA, KEY_DSA, - KEY_UNSPEC + KEY_UNSPEC, + KEY_NAME, + KEY_NAME_PAT }; enum fp_type { SSH_FP_SHA1, @@ -53,12 +55,15 @@ int flags; RSA *rsa; DSA *dsa; + u_char *name; + char *name_type; }; Key *key_new(int); Key *key_new_private(int); void key_free(Key *); int key_equal(Key *, Key *); +int key_match(Key *...

...s by the client will return an error. Index: 2_9_p2.1/key.h --- 2_9_p2.1/key.h Thu, 03 May 2001 16:12:13 -0400 jd (OpenSSH/j/7_key.h 1.1 644) +++ 2_9_p2_w_named_keys.2/key.h Tue, 03 Jul 2001 13:57:30 -0400 willian (OpenSSH/j/7_key.h 1.1.1.1 644) @@ -34,7 +34,9 @@ KEY_RSA1, KEY_RSA, KEY_DSA, - KEY_UNSPEC + KEY_UNSPEC, + KEY_NAME, + KEY_NAME_PAT }; enum fp_type { SSH_FP_SHA1, @@ -48,12 +50,16 @@ int type; RSA *rsa; DSA *dsa; + u_char *name; + u_int name_len; + char *name_type; }; Key *key_new(int type); Key *key_new_private(int type); void key_free(Key *k); int key_equal(Key *a, Key...

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

...====== sshconnect2.c - in load_identity_file() add a comment string pointer and a few lines to print the key comment if requested and the comment string exists. diff: 603a604,605 > // added: > char *comment; 611c613,622 < private = key_load_private_type(KEY_UNSPEC, filename, "", NULL); --- > > comment = NULL; > > debug("load_identity_file: loading private key from %s", filename); > > // private = key_load_private_type(KEY_UNSPEC, filename, "", NULL); > private = key_load_private_type(...

...ds the possibility of displaying key fingerprints in the bubblebabble format used by ssh.com ssh implementations. I hope it makes its way into the source. --- ./openssh-2.5.1/key_original.h Sun Mar 4 00:47:55 2001 +++ ./openssh-2.5.1/key.h Sun Mar 4 00:57:57 2001 @@ -36,6 +36,17 @@ KEY_DSA, KEY_UNSPEC }; + +enum digest_type { + DIGEST_TYPE_SHA1, + DIGEST_TYPE_MD5 +}; + +enum digest_representation { + DIGEST_REPRESENTATION_HEX, + DIGEST_REPRESENTATION_BUBBLEBABBLE +}; + struct Key { int type; RSA *rsa; @@ -46,6 +57,7 @@ Key *key_new_private(int type); void key_free(Key *k); int key_equal...

...passphrase; - int perm_ok = 0, quit, i; + char prompt[300], *passphrase, *comment = NULL; + int perm_ok = 0, quit, i, allowed = 0; struct stat st; if (stat(filename, &st) < 0) { debug3("no such identity: %s", filename); return NULL; } - private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); - if (!perm_ok) + private = key_load_private_type(KEY_UNSPEC, filename, "", &comment, &perm_ok); + if (!perm_ok) { + if (comment) + xfree(comment); return NULL; + } if (private == NULL) { - if (options.batch_mode) + if (optio...

...t = 0; } else { debug2("no passphrase given, try next key"); --- sshconnect2.c.orig Thu Nov 27 16:31:25 2003 +++ sshconnect2.c Thu Nov 27 16:36:38 2003 @@ -967,7 +967,8 @@ debug3("no such identity: %s", filename); return NULL; } - private = key_load_private_type(KEY_UNSPEC, filename, "", NULL); + private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, + options.group_private_key); if (private == NULL) { if (options.batch_mode) return NULL; @@ -977,7 +978,8 @@ passphrase = read_passphrase(prompt, 0); if (strcmp(passphra...

...k, int *private) +{ + FILE *fp; + RSA *rsa; +#ifdef notyet + DSA *dsa; +#endif + + if ((fp = fopen(identity_file, "r")) == NULL) + fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); + if ((rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL)) != NULL) { + *k = key_new(KEY_UNSPEC); + (*k)->type = KEY_RSA; + (*k)->rsa = rsa; + fclose(fp); + return; + } +#if notyet /* OpenSSH 0.9.8 lacks this function */ + rewind(fp); + if ((dsa = PEM_read_DSA_PUBKEY(fp, NULL, NULL, NULL)) != NULL) { + *k = key_new(KEY_UNSPEC); + (*k)->type = KEY_DSA; + (*k)->dsa = dsa; +...

...e_type(int type, const char *filename, const char *passphrase, ? ?int ?sshkey_load_private(const char *filename, const char *passphrase, -??? struct sshkey **keyp, char **commentp) +??? struct sshkey **keyp, char **commentp, struct sshkey_vault **vault_infop) ?{ ??? ?return sshkey_load_private_type(KEY_UNSPEC, filename, passphrase, -?? ???? keyp, commentp); +?? ???? keyp, commentp, vault_infop); ?} ? ?int ?sshkey_load_private_type_fd(int fd, int type, const char *passphrase, -??? struct sshkey **keyp, char **commentp) +??? struct sshkey **keyp, char **commentp, struct sshkey_vault **vault_infop) ?{ ???...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...(struct hostkey_foreach_line *l, void *_ctx) #ifndef WITH_SSH1 if (parse_key && (expected->l.keytype == KEY_RSA1 || - expected->no_parse_keytype == KEY_RSA1)) { + expected->no_parse_keytype == KEY_RSA1)) { expected_status = HKF_STATUS_INVALID; expected_keytype = KEY_UNSPEC; parse_key = 0; } #endif +#ifndef WITH_OPENSSL + if (expected->l.keytype == KEY_RSA || + expected->no_parse_keytype == KEY_RSA || + expected->l.keytype == KEY_DSA || + expected->no_parse_keytype == KEY_DSA) { + expected_status = HKF_STATUS_INVALID; + expected_keytyp...

...somewhere inside the line being parsed. It cannot be freed itself. >--- sshconnect2.c 29 May 2011 11:42:34 -0000 1.180 >+++ sshconnect2.c 30 Dec 2011 09:27:33 -0000 >@@ -1323,8 +1323,11 @@ load_identity_file(char *filename) > return NULL; > } > private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok); >- if (!perm_ok) >+ if (!perm_ok) { >+ if (private != NULL) >+ key_free(private); This code has been refactored and the leak eliminated. >@@ -1892,9 +1895,9 @@ authmethod_get(char *authlist) > xfree(name); > return curren...

...:24 2001 +++ authfile.c Tue Feb 20 19:27:20 2001 @@ -446,6 +446,7 @@ fp = fdopen(fd, "r"); if (fp == NULL) { error("fdopen failed"); + close(fd); return 0; } pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase); @@ -536,10 +537,11 @@ case KEY_RSA: case KEY_UNSPEC: ret = load_private_key_ssh2(fd, passphrase, key, comment_return); + break; default: + close(fd); break; } - close(fd); return ret; }

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet

...quot;); + if (hostkeyalg == NULL) { + if (k->server) + fatal("bad '%.100s' hostkey alg request from %.200s", client, get_remote_ipaddr()); + else + fatal("no '%.100s' hostkey alg(s) for %.200s", client, get_remote_ipaddr()); + } +/* + * Note that if KEY_UNSPEC is returned, BOTH the client and the server + * have the same bad key string. + */ k->hostkey_type = key_type_from_name(hostkeyalg); if (k->hostkey_type == KEY_UNSPEC) - fatal("bad hostkey alg '%s'", hostkeyalg); + fatal("unknown hostkey alg '%s'", ho...

Suppose an SSH server has both RSA and DSA host keys for protocol 2, but I only have the DSA key, and I want to use that. I'm stuck; the OpenSSH client is hard-wired to offer both algorithms in the key exchange, and will select ssh-rsa if it's available (see myproposal.h, KEX_DEFAULT_PK_ALG). Below is a patch adding the client configuration option "PKAlgorithms" for this

https://bugzilla.mindrot.org/show_bug.cgi?id=2623 Bug ID: 2623 Summary: AuthorizedKeysFile split pub key and signature with tab `\t` not work. Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: