Displaying 20 results from an estimated 34 matches for "krl".
Did you mean:
karl
2015 Dec 29
2
Bug in KRL signature verification
I believe there has been a bug in KRL signature verification that has been
present since the KRL feature was first introduced. It prevents signed KRLs
from being loaded by OpenSSH [0]. I believe this bug applies to all
versions of OpenSSH, although the majority of my effort has been devoted to
(and all of my code snippets come from) op...
2018 Sep 06
4
Some wishes regarding revoked keys
Hello.
I am trying to play through the following test scenario about
certificate revocation on Ubuntu 18.04, which has OpenSSH of this version:
OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n? 7 Dec 2017
1. A CA key is created
ssh-keygen -t ed25519 -f ca
2. The CA public key is added to ~/.ssh/authorized_keys on some server:
cert-authority ssh-ed25519 AAAA...e ca at yoga
3. A user key is created on a
2019 Feb 04
3
Signing KRLs?
Hi!
While reading through PROTOCOL.krl I came across "5. KRL signature sections".
If my understanding is correct - and that's basically what I would like to
get knocked down for if appropriate ;) - this is a way for SSHDs to ensure
they only accept KRLs signed by a trusted CA.
However, I cannot seem to find a way to actu...
2024 Jan 24
1
[Bug 3659] New: Certificates are ignored when listing revoked items in a (binary) revocation list
...re: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: webmaster at mmf-research.de
1. Create a blank binary revocation list:
ssh-keygen -Qlf my.krl
# KRL version 0
# Generated at 20240122T162948
2. Revoke a key, and a certificate:
ssh-keygen -kuf my.krl user1_id25519.pub user2_id25519-cert.pub
Revoking from user1_id25519.pub
Revoking from user2_id25519-cert.pub
3. Check the successful revocation:
ssh-keygen -Qf my.krl user1_id255...
2014 Nov 14
2
[Bug 2313] New: Corrupt KRL file when using multiple CA.
https://bugzilla.mindrot.org/show_bug.cgi?id=2313
Bug ID: 2313
Summary: Corrupt KRL file when using multiple CA.
Product: Portable OpenSSH
Version: 6.5p1
Hardware: Other
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org...
2013 Feb 06
0
Miscellaneous compiler warnings
...32: warning: ignoring return value of ?write?, declared with attribute warn_unused_result
schnorr.c:494: warning: ignoring return value of ?vasprintf?, declared with attribute warn_unused_result
schnorr.c:519: warning: ignoring return value of ?vasprintf?, declared with attribute warn_unused_result
krl.c:508: warning: format ?%llu? expects type ?long long unsigned int?, but argument 3 has type ?u_int64_t?
krl.c:508: warning: format ?%llu? expects type ?long long unsigned int?, but argument 4 has type ?u_int64_t?
krl.c:508: warning: format ?%llu? expects type ?long long unsigned int?, but argument...
2013 Jan 27
1
null pointer dereference in krl.c?
Hi,
In ssh_krl_from_blob(), krl.c:984,
/* Record keys used to sign the KRL */
xrealloc(ca_used, nca_used + 1, sizeof(*ca_used));
ca_used[nca_used++] = key;
The result of `xrealloc' is never assigned to `ca_used', which remains
a null pointer. Will ca_used[...] crash?. Did I miss anything?
Thank...
2013 Apr 01
0
Format warnings in krl.c
Compiling krl.c with clang results in a slew of warnings like this one:
/usr/src/secure/lib/libssh/../../../crypto/openssh/krl.c:505:37: warning:
format specifies type 'unsigned long long' but the argument has type
'u_int64_t' (aka 'unsigned long') [-Wformat]
This comes fro...
2019 Sep 16
2
revoking ssh-cert.pub with serial revokes also younger certs
Hi Daminan!
Hmmm... thought about a little...
when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug
is compiled in.
ssh-keygen --help gives me
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ...
so... option -z is not the serial of the certificate, it is the
version-number of the KRL-File...
My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this
openssh-version does not support revoking a certificate by it's
serialnumbe...
2023 Jul 31
5
Call for testing: OpenSSH 9.4
...same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions
and implements parsing of the new submessages. No actual extensions
are supported at this point.
* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D whic...
2023 Aug 10
1
Announce: OpenSSH 9.4 released
...same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions
and implements parsing of the new submessages. No actual extensions
are supported at this point.
* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D whic...
2023 Aug 09
1
Call for testing: OpenSSH 9.4
...(1): add a "match localnetwork" predicate. This allows matching
> on the addresses of available network interfaces and may be used to
> vary the effective client configuration based on network location.
>
> * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
> extensions. This defines wire formats for optional KRL extensions
> and implements parsing of the new submessages. No actual extensions
> are supported at this point.
>
> * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
> accept two additio...
2014 Dec 09
2
build problems on the latest portable tree
...he latest portable tree - HEAD
3dfd8d93dfcc69261f5af99df56f3ff598581979
- rijndael.c:1104:7: error: ?Td4? undeclared (first use in this function)
(Td4[(t0 >> 24) ] << 24) ^
^
introduced in commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e
- ./libssh.a(krl.o): In function `ssh_krl_from_blob': krl.c:1007:
undefined reference to `reallocarray'
introduced in commit in 74de254bb92c684cf53461da97f52d5ba34ded80 -
reallocarray() seems to only part of openbsd-5.6 stdlib
Petr
--
Petr Lautrbach
2013 Feb 26
16
Call for testing: OpenSSH-6.2
...etion of all the methods in any list is required for
authentication to complete. This allows, for example, requiring a
user having to authenticate via public key or GSSAPI before they
are offered password authentication.
* sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
(KRLs), a compact binary format to represent lists of revoked keys
and certificates that take as little as one bit per certificate when
revoking by serial number. KRLs may be generated using ssh-keygen(1)
and are loaded into sshd(8) via the existing RevokedKeys sshd_config
option.
* ssh(1)...
2019 Sep 13
2
revoking ssh-cert.pub with serial revokes also younger certs
Hi there!
What am I doing wrong?
I created a ssh-certificate
id_user_rsa-cert.pub with this dump:
id_user_rsa-cert.pub:
root at host # ssh-keygen -Lf id_user_rsa-cert.pub
??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate
??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk
??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs
??????? Key ID:
2017 Mar 02
61
[Bug 2687] New: Coverity scan fixes
https://bugzilla.mindrot.org/show_bug.cgi?id=2687
Bug ID: 2687
Summary: Coverity scan fixes
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
2014 Oct 06
0
Announce: OpenSSH 6.7 released
...cting with something that implements the specification
correctly. OpenSSH 6.7 disables this KEX method when speaking to
one of the affected versions.
New Features
* Major internal refactoring to begin to make part of OpenSSH usable
as a library. So far the wire parsing, key handling and KRL code
has been refactored. Please note that we do not consider the API
stable yet, nor do we offer the library in separable form.
* ssh(1), sshd(8): Add support for Unix domain socket forwarding.
A remote TCP port may be forwarded to a local Unix domain socket
and vice versa or both en...
2014 Aug 18
15
Call for testing: OpenSSH 6.7
...cting with something that implements the specification
correctly. OpenSSH 6.7 disables this KEX method when speaking to
one of the affected versions.
New Features
* Major internal refactoring to begin to make part of OpenSSH usable
as a library. So far the wire parsing, key handling and KRL code
has been refactored. Please note that we do not consider the API
stable yet, nor do we offer the library in separable form.
* ssh(1), sshd(8): Add support for Unix domain socket forwarding.
A remote TCP port may be forwarded to a local Unix domain socket
and vice versa or both en...
2015 May 31
2
Call for testing: OpenSSH 6.9
...sh sftp-perm.sh reconfigure.sh
dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh
c
fgparse.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh
portnum.sh keytype.sh kextype.sh cert-hostkey.sh cert-userkey.sh host
-expand.sh keys-command.sh forward-control.sh integrity.sh krl.sh
multipubkey.sh limit-keytype.sh hostkey-agent.sh keygen-knownhosts.sh
h
ostkey-rotate.sh principals-command.sh" = "x" ]; then exit 0; fi; \
for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh
proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh
transfer....
2015 Mar 18
0
Announce: OpenSSH 6.8 released
...ltiple ECDSA keys of different lengths.
* ssh(1): when host name canonicalisation is enabled, try to
parse host names as addresses before looking them up for
canonicalisation. fixes bz#2074 and avoiding needless DNS
lookups in some cases.
* ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
require OpenSSH to be compiled with OpenSSL support.
* ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
authentication.
* sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
Bleichenbacher Side Channel Attack. Fake up a bignum key before
RSA decryptio...