search for: pkalg

Here is a quick patch against openssh-2.5.1p1 to add a new config option (pkalg) for the ssh client allowing the selection of which public keys are obtained/verified. --cut-here- diff -c3 -r orig/openssh-2.5.1p1/key.c openssh-2.5.1p1/key.c *** orig/openssh-2.5.1p1/key.c Mon Feb 5 18:16:28 2001 --- openssh-2.5.1p1/key.c Sun Mar 11 23:10:10 2001 *************** *** 534,539 ***...

Hi, I'm doing some test with a pkcs11 token that can only sign short messages. When connecting to one server, that reports pkalg rsa-sha2-512 blen 151, it fails to sign the pubkey because it is 83 bytes long. (sshd: OpenSSH_7.3p1) A older server that reports pkalg ssh-rsa blen 151, works perfectly as the pubkey signature required is only 35 bytes long. (sshd: OpenSSH_6.7p1) I am not sure where does this pkalg fit in the pr...

...chmidt at emtec.com in sshconnect2.c in function ssh_kex2() the function kex_default_pk_alg() is called. This function is from readconf.c and has the following prototype: const char *kex_default_pk_alg(void); The function looks like this: const char * kex_default_pk_alg(void) { static char *pkalgs; if (pkalgs == NULL) { char *all_key; all_key = sshkey_alg_list(0, 0, 1, ','); pkalgs = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); free(all_key); } return pkalgs; } It internally buffers the result for match_filter_allowlist() in a...

...2, but I only have the DSA key, and I want to use that. I'm stuck; the OpenSSH client is hard-wired to offer both algorithms in the key exchange, and will select ssh-rsa if it's available (see myproposal.h, KEX_DEFAULT_PK_ALG). Below is a patch adding the client configuration option "PKAlgorithms" for this purpose. It doesn't validate the supplied list; I'm not sure if that's really necessary or desirable. This situation raises a couple of questions. The first is about the protocol, which forces the client to commit to a choice of host key algorithm before it sees...

...rsa': ...and, correspondingly on the server: debug1: KEX done debug1: userauth-request for user test service ssh-connection method none debug1: attempt 0 failures 0 debug1: userauth-request for user test service ssh-connection method publickey debug1: attempt 1 failures 0 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 63203/54000 (e=0/0) debug1: trying public key file /etc/sshtest/authorized_keys debug1: fd 5 clearing O_NONBLOCK debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 63203/54000 (e=0/0) debug1: trying public key file /etc/sshtest/authorized_keys d...

.../scp to RHEL9): note that it makes rsa-sha2-512 references 2024 Feb 2 13:33:27 RHEL9 [authpriv.debug] sshd: debug2: userauth_pubkey: valid user USERREDACTED querying public key rsa-sha2-512 PUBLICKEYREDACTED [preauth] 2024 Feb 2 13:33:27 RHEL9 [authpriv.debug] sshd: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:RSASIGNATUREREDACTED [preauth] 2024 Feb 2 13:33:27 RHEL9 [authpriv.debug] sshd: debug1: /home/USERREDACTED/.ssh/authorized_keys:33: matching key found: RSA SHA256:RSASIGNATUREREDACTED 2024 Feb 2 13:33:27 RHEL9 [authpriv.info] sshd: Accepted key RSA SHA256:RSASIGNATU...

...XXXXXX service ssh-connection method none debug1: attempt #1 debug1: Starting up PAM with username "XXXXXX" Failed none for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2 debug1: userauth-request for user XXXXXX service ssh-connection method publickey debug1: attempt #2 debug1: test whether pkalg/pkblob are acceptable Failed publickey for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh2 debug1: userauth-request for user XXXXXX service ssh-connection method publickey debug1: attempt #3 debug1: test whether pkalg/pkblob are acceptable Failed publickey for XXXXXX from XXX.XXX.XXX.XXX port 34257 ssh...

...host" debug2: input_userauth_request: try method none Failed none for matthewm from 127.0.0.1 port 2911 ssh2 debug1: userauth-request for user matthewm service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for matthewm from 127.0.0.1 port 2911 ssh2 debug1: userauth-request for user matthewm service ssh-connection method publickey debug1: attempt...

...ee(blob); } else { buffer_free(&msg); diff -bur openssh-3.7.1p2.orig/auth2-hostbased.c openssh-3.7.1p2/auth2-hostbased.c --- openssh-3.7.1p2.orig/auth2-hostbased.c Sat Jun 28 04:38:02 2003 +++ openssh-3.7.1p2/auth2-hostbased.c Tue Oct 7 08:21:59 2003 @@ -60,10 +60,10 @@ return 0; } pkalg = packet_get_string(&alen); - pkblob = packet_get_string(&blen); + pkblob = packet_get_binary(&blen); chost = packet_get_string(NULL); cuser = packet_get_string(NULL); - sig = packet_get_string(&slen); + sig = packet_get_binary(&slen); debug("userauth_hostbased: cus...

...as root using when strictmode is set to yes. output of debug: Failed none for root from 192.168.1.1 port 1199 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: trying public key file //.ssh/authorized_keys debug3: secure_filename: checking '/.ssh' debug3: secure_filename: checking '' Authentication refused: bad ownership or modes for directory debug1: trying public key file //.ssh/authorized_keys2 debug3: secu...

..._kbdint(Authctxt *authctxt) #endif xfree(lang); xfree(devs); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) - return(0); -#endif return authenticated; } @@ -524,10 +513,6 @@ userauth_pubkey(Authctxt *authctxt) debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); xfree(pkalg); xfree(pkblob); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) - return(0); -#endif return authenticated; } Index: openbsd-compat/bsd-cygwin_util.c =================================================================...

...02. From reading sshd -ddd and ssh -v I can't figure out what goes wrong. Could somebody interpret the attached typescripts for me, please? Here's the relevant part from the server log and I don't understand it: debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1005/1005 (e=0) debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for incomingmail from cl.ie.nt.ip port 29365 ssh2 Another thing that puzzles me is why does it start asking for s/key authentication? I don...

...lures 0 Failed none for quinot from 10.10.0.172 port 35503 ssh2 Failed none for quinot from 10.10.0.172 port 35503 ssh2 debug1: userauth-request for user quinot service ssh-connection method hostbased debug1: attempt 1 failures 1 debug1: userauth_hostbased: cuser quinot chost vienna.int.domain.com. pkalg s sh-dss slen 55 debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid Failed hostbased for quinot fr...

Hi! I am distributing 2.5.1p1 for production use on my system by now and prepare switching to protocol 2 as default protocol. I just noted, that ssh-agent can be used for protocol 1 and 2, but the keys kept in ssh-agent are not compared against keys in .ssh. Example: I have a DSA key in id_dsa which I load into ssh-agent on login. When connecting to an account accepting the key everything is

...4e5e8c1bed5f58c841b1b8, just having the cert on the user's agent process worked as expected. After that commit, the user needs both the private and the cert (also with the private key) loaded together to work. if I try to use just the cert after this commit, I see: debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen 2769 debug2: input_userauth_pk_ok: fp SHA256:XiFOO+XzZ0m/aWzkQLgxVFI2HJV3abWpNyuIhcEYKuc debug3: sign_and_send_pubkey: RSA-CERT SHA256:XiFOO+XzZ0m/aWzkQLgxVFI2HJV3abWpNyuIhcEYKuc debug1: sign_and_send_pubkey: no private key for certificate "[Valid until Fri...

...a-stn14l debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey debug1: Offering public key: RSA SHA256:B1iu57Rkn5emB//MUP4YEipr4oRRmqZeBHMQWf0U+Mk /home/xxx/.ssh/jumpline debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:B1iu57Rkn5emB//MUP4YEipr4oRRmqZeBHMQWf0U+Mk debug1: Authentication succeeded (publickey). Authenticated to sohnen-moe.com ([216.222.193.110]:1022). ** blah blah blah *** ---[ end ]--- ---[ failed login ]--- debug2: set_newkeys: mode 0 debu...

...ebug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /home/lars/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: Authentication succeeded (publickey). ... When the same script is run from the crontab the trace is identical except that the authentication fails: OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying option...

...ce ssh-connection method none debug1: attempt 0 failures 0 Failed none for root from 192.168.1.5 port 1743 ssh2 Failed none for root from 192.168.1.5 port 1743 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys2 debug1: restore_uid Failed publickey for root from 192....

...ickey debug3: remaining preferred: password,keyboard-interactive debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try pubkey: /users/clad/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 4001df30 hint 1 debug2: input_userauth_pk_ok: fp 0f:95:05:08:b7:47:eb:dd:37:ae:71:c1:5a:24:4b:20 debug3: sign_and_send_pubkey debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/users/clad/.ssh/id_rsa'...

...ons? debug3: secure_filename: checking '/ftpdata/pxdata/pold/data/.ssh' debug3: secure_filename: checking '/ftpdata/pxdata/pold/data' Authentication refused: bad ownership or modes for directory /ftpdata/pxdata/fold/data debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for bold from 3.72.144.164 port 1201 ssh2 Authentication refused: bad ownership or modes for directory