search for: krl_section_signature

...correct - and that's basically what I would like to get knocked down for if appropriate ;) - this is a way for SSHDs to ensure they only accept KRLs signed by a trusted CA. However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen? The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in the file structure, so am I right to assume that ssh-keygen simply does not implement the signing of KRLs (yet)? Or do I need to use some other tool I have overlooked? Thanks a lot in advance. Cheers, Daniel -- Daniel Schneller ds at danielschneller.com Twitter: @dschneller htt...

...curity implications, though, since both lengths are necessarily smaller than the length of buf. Fixing this bug uncovers another bug in ssh_krl_from_blob [3]: "if (sshbuf_len(sect) > 0)" should read "if (sect != NULL && sshbuf_len(sect) > 0)" (or similar), since a KRL_SECTION_SIGNATURE above might cause sect to be set to NULL. This bug results in a segmentation fault, but I don't believe it can be triggered without first fixing the above bug. In case anyone is interested in testing this behavior out, I believe the following hex-encoded string to be a spec-compliant [1] signe...

...signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. * All: fix a number of memory leaks and unreachable/harmless integer overflows. * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406 * sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Pr...

Hello. I am trying to play through the following test scenario about certificate revocation on Ubuntu 18.04, which has OpenSSH of this version: OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n? 7 Dec 2017 1. A CA key is created ssh-keygen -t ed25519 -f ca 2. The CA public key is added to ~/.ssh/authorized_keys on some server: cert-authority ssh-ed25519 AAAA...e ca at yoga 3. A user key is created on a

...signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. * All: fix a number of memory leaks and unreachable/harmless integer overflows. * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406 * sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Pr...

...format was originally defined, it included > support for signing of KRL objects. However, the code to sign KRLs > and verify KRL signatues was never completed in OpenSSH. This > release removes the partially-implemented code to verify KRLs. > All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in > KRL files. > > * All: fix a number of memory leaks and unreachable/harmless integer > overflows. > > * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 > modules; GHPR406 > > * sshd(8), ssh(1): better validate CASignatur...

https://bugzilla.mindrot.org/show_bug.cgi?id=2687 Bug ID: 2687 Summary: Coverity scan fixes Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org