search for: num_host_key_files

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

...to the rexec child, but I decided I thought it was slightly nicer to decrypt the key once and pass it along rather than redoing it every time. I can send the previous version if that would be preferred though -- this key-passing version does have some resulting ugliness in its handling of options.num_host_key_files, as described in a comment in the patch. Thanks, Zev Weiss -- Makefile.in | 2 +- buffer.h | 5 ++ bufkey.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ sshd.c | 141 ++++++++++++++++++++++++++++++++++++++++++++++++----------- 4 files changed, 253 insertions...

...- if (authctxt->pw->pw_uid == 0 || options.use_login) { + if (authctxt->pw->pw_uid == 0 || options.use_login) #endif + { /* File descriptor passing is broken or root login */ use_privsep = 0; goto skip; @@ -767,6 +780,8 @@ list_hostkey_types(void) for (i = 0; i < options.num_host_key_files; i++) { key = sensitive_data.host_keys[i]; if (key == NULL) + key = sensitive_data.host_pubkeys[i]; + if (key == NULL) continue; switch (key->type) { case KEY_RSA: @@ -819,6 +834,8 @@ get_hostkey_by_type(int type, int need_private) break; default: key = sensitive_da...

...case sEngineHostKey: > if (options->engineindex != -1) { > fatal("%s line %d: One engine key allowed", > filename, linenum); > } > options->engineindex = options->num_host_key_files; > intptr = &options->num_host_key_files; > if (*intptr >= MAX_HOSTKEYS) > fatal("%s line %d: too many keys (max %d).", > filename, linenum, MAX_HOSTKEYS); > charptr = &optio...

...gLevel log_level_number(char *); diff -urN openssh-3.5p1-orig/servconf.c openssh-3.5p1/servconf.c --- openssh-3.5p1-orig/servconf.c 2002-12-18 10:10:13.000000000 -0500 +++ openssh-3.5p1/servconf.c 2002-12-18 10:20:33.000000000 -0500 @@ -64,6 +64,7 @@ options->listen_addrs = NULL; options->num_host_key_files = 0; options->pid_file = NULL; + options->log_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; @@ -302,6 +303,7 @@ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeys...

...to the rexec child, but I decided I thought it was slightly nicer to decrypt the key once and pass it along rather than redoing it every time. I can send the previous version if that would be preferred though -- this key-passing version does have some resulting ugliness in its handling of options.num_host_key_files, as described in a comment in the patch. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2346 Bug ID: 2346 Summary: sshd -T doesn't write all configuration options in valid format Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

https://bugzilla.mindrot.org/show_bug.cgi?id=2686 Bug ID: 2686 Summary: SSHD segfaults when trying to load RSA1 host keys Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: sshd

...Status: NEW Severity: security Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: kircherlike at outlook.com We noticed that the sshd.c file contained such a code snippet: ... for (i = 0; i < options.num_host_key_files; i++) { int ll = options.host_key_file_userprovided[i] ? SYSLOG_LEVEL_ERROR : SYSLOG_LEVEL_DEBUG1; if (options.host_key_files[i] == NULL) continue; if ((r = sshkey_load_private(options.host_key_files[i], &q...

...ase, NULL, + options.group_private_key); quit = 0; } else { debug2("no passphrase given, try next key"); --- sshd.c.orig Thu Nov 27 16:33:07 2003 +++ sshd.c Thu Nov 27 16:35:19 2003 @@ -966,7 +966,7 @@ sensitive_data.have_ssh2_key = 0; for (i = 0; i < options.num_host_key_files; i++) { - key = key_load_private(options.host_key_files[i], "", NULL); + key = key_load_private(options.host_key_files[i], "", NULL, 0); sensitive_data.host_keys[i] = key; if (key == NULL) { error("Could not load host key: %s", --- ssh-add.c.orig Thu Nov 27...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...ult_server_options(ServerOptions *options) CLEAR_ON_NONE(options->authorized_principals_file); CLEAR_ON_NONE(options->adm_forced_command); CLEAR_ON_NONE(options->chroot_directory); + CLEAR_ON_NONE(options->fwd_opts.streamlocal_bind_root_directory); for (i = 0; i < options->num_host_key_files; i++) CLEAR_ON_NONE(options->host_key_files[i]); for (i = 0; i < options->num_host_cert_files; i++) @@ -417,6 +419,7 @@ typedef enum { sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBind...

...*options) { - /* Portable-specific options */ - if (options->pam_authentication_via_kbd_int == -1) - options->pam_authentication_via_kbd_int = 0; - - /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_host_key_files == 0) { @@ -258,9 +249,6 @@ /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ - /* Portable-specific options */ - sPAMAuthenticationViaKbdInt, - /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogF...

...*options) { - /* Portable-specific options */ - if (options->pam_authentication_via_kbd_int == -1) - options->pam_authentication_via_kbd_int = 0; - - /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_host_key_files == 0) { @@ -271,9 +262,6 @@ /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ - /* Portable-specific options */ - sPAMAuthenticationViaKbdInt, - /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogF...

...*options) { - /* Portable-specific options */ - if (options->pam_authentication_via_kbd_int == -1) - options->pam_authentication_via_kbd_int = 0; - - /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_host_key_files == 0) { @@ -271,9 +262,6 @@ /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ - /* Portable-specific options */ - sPAMAuthenticationViaKbdInt, - /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogF...

...========== RCS file: /cvs/src/usr.bin/ssh/servconf.c,v retrieving revision 1.165 diff -u -r1.165 servconf.c --- servconf.c 14 Aug 2006 12:40:25 -0000 1.165 +++ servconf.c 15 Nov 2006 14:14:37 -0000 @@ -56,6 +56,7 @@ options->listen_addrs = NULL; options->address_family = -1; options->num_host_key_files = 0; + options->ca_key_file = NULL; options->pid_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; @@ -77,6 +78,7 @@ options->hostbased_authentication = -1; options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -...