search for: krl

I believe there has been a bug in KRL signature verification that has been present since the KRL feature was first introduced. It prevents signed KRLs from being loaded by OpenSSH [0]. I believe this bug applies to all versions of OpenSSH, although the majority of my effort has been devoted to (and all of my code snippets come from) op...

Hello. I am trying to play through the following test scenario about certificate revocation on Ubuntu 18.04, which has OpenSSH of this version: OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n? 7 Dec 2017 1. A CA key is created ssh-keygen -t ed25519 -f ca 2. The CA public key is added to ~/.ssh/authorized_keys on some server: cert-authority ssh-ed25519 AAAA...e ca at yoga 3. A user key is created on a

Hi! While reading through PROTOCOL.krl I came across "5. KRL signature sections". If my understanding is correct - and that's basically what I would like to get knocked down for if appropriate ;) - this is a way for SSHDs to ensure they only accept KRLs signed by a trusted CA. However, I cannot seem to find a way to actu...

...re: All OS: All Status: NEW Severity: minor Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: webmaster at mmf-research.de 1. Create a blank binary revocation list: ssh-keygen -Qlf my.krl # KRL version 0 # Generated at 20240122T162948 2. Revoke a key, and a certificate: ssh-keygen -kuf my.krl user1_id25519.pub user2_id25519-cert.pub Revoking from user1_id25519.pub Revoking from user2_id25519-cert.pub 3. Check the successful revocation: ssh-keygen -Qf my.krl user1_id255...

https://bugzilla.mindrot.org/show_bug.cgi?id=2313 Bug ID: 2313 Summary: Corrupt KRL file when using multiple CA. Product: Portable OpenSSH Version: 6.5p1 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org...

...32: warning: ignoring return value of ?write?, declared with attribute warn_unused_result schnorr.c:494: warning: ignoring return value of ?vasprintf?, declared with attribute warn_unused_result schnorr.c:519: warning: ignoring return value of ?vasprintf?, declared with attribute warn_unused_result krl.c:508: warning: format ?%llu? expects type ?long long unsigned int?, but argument 3 has type ?u_int64_t? krl.c:508: warning: format ?%llu? expects type ?long long unsigned int?, but argument 4 has type ?u_int64_t? krl.c:508: warning: format ?%llu? expects type ?long long unsigned int?, but argument...

Hi, In ssh_krl_from_blob(), krl.c:984, /* Record keys used to sign the KRL */ xrealloc(ca_used, nca_used + 1, sizeof(*ca_used)); ca_used[nca_used++] = key; The result of `xrealloc' is never assigned to `ca_used', which remains a null pointer. Will ca_used[...] crash?. Did I miss anything? Thank...

Compiling krl.c with clang results in a slew of warnings like this one: /usr/src/secure/lib/libssh/../../../crypto/openssh/krl.c:505:37: warning: format specifies type 'unsigned long long' but the argument has type 'u_int64_t' (aka 'unsigned long') [-Wformat] This comes fro...

Hi Daminan! Hmmm... thought about a little... when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug is compiled in. ssh-keygen --help gives me ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... so... option -z is not the serial of the certificate, it is the version-number of the KRL-File... My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this openssh-version does not support revoking a certificate by it's serialnumbe...

...same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D whic...

...same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D whic...

...(1): add a "match localnetwork" predicate. This allows matching > on the addresses of available network interfaces and may be used to > vary the effective client configuration based on network location. > > * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL > extensions. This defines wire formats for optional KRL extensions > and implements parsing of the new submessages. No actual extensions > are supported at this point. > > * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now > accept two additio...

...he latest portable tree - HEAD 3dfd8d93dfcc69261f5af99df56f3ff598581979 - rijndael.c:1104:7: error: ?Td4? undeclared (first use in this function) (Td4[(t0 >> 24) ] << 24) ^ ^ introduced in commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e - ./libssh.a(krl.o): In function `ssh_krl_from_blob': krl.c:1007: undefined reference to `reallocarray' introduced in commit in 74de254bb92c684cf53461da97f52d5ba34ded80 - reallocarray() seems to only part of openbsd-5.6 stdlib Petr -- Petr Lautrbach

...etion of all the methods in any list is required for authentication to complete. This allows, for example, requiring a user having to authenticate via public key or GSSAPI before they are offered password authentication. * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1)...

Hi there! What am I doing wrong? I created a ssh-certificate id_user_rsa-cert.pub with this dump: id_user_rsa-cert.pub: root at host # ssh-keygen -Lf id_user_rsa-cert.pub ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate ??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk ??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs ??????? Key ID:

https://bugzilla.mindrot.org/show_bug.cgi?id=2687 Bug ID: 2687 Summary: Coverity scan fixes Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org

...cting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features * Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both en...

...cting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features * Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both en...

...sh sftp-perm.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh c fgparse.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh keytype.sh kextype.sh cert-hostkey.sh cert-userkey.sh host -expand.sh keys-command.sh forward-control.sh integrity.sh krl.sh multipubkey.sh limit-keytype.sh hostkey-agent.sh keygen-knownhosts.sh h ostkey-rotate.sh principals-command.sh" = "x" ]; then exit 0; fi; \ for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer....

...ltiple ECDSA keys of different lengths. * ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases. * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support. * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryptio...