search for: revoc

https://bugzilla.mindrot.org/show_bug.cgi?id=3659 Bug ID: 3659 Summary: Certificates are ignored when listing revoked items in a (binary) revocation list Product: Portable OpenSSH Version: 9.2p1 Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: web...

Please tell me in technical details how current revocation support works, or give links. Then I will be able to give an answer. On Fri, May 25, 2018 at 7:16 AM, Damien Miller <djm at mindrot.org> wrote: > > > On Fri, 25 May 2018, Yegor Ievlev wrote: > >> Can you implement revocation support? > > What do you want that the...

Hi, I have a smartcard which is revoked in the Certificate Revocation List (CRL) but I can still login. Seams like the CRL check is not performed. Any known bug around this? Server setup: - Samba 4.4 on Debian as AD DC - Created domain MYDOM - smb.conf (extract): tls enabled = yes tls crlfile = tls/mycrl.pem (default is to look under private/ folder) C...

Hi, already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I a...

https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Bug ID: 2328 Summary: Per-user certificate revocation list (CRL) in authorized_keys Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unass...

...too. Not sure I put it in [kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams like the CRL check is not performed. > Any > > known bug around this? > > > > Server setup: > > - Samba 4.4 on Debian as AD DC > > - Created domain MYDOM > > - smb.conf (extract): > > tls enabled...

Can you implement revocation support? On Fri, May 25, 2018 at 6:55 AM, Damien Miller <djm at mindrot.org> wrote: > No way, sorry. > > The OpenSSH certificate format was significantly motivated by X.509's > syntactic and semantic complexity, and the consequent attack surface in > the sensitive pre...

...t; section though, I can try again. > > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > Hi, > > > I have a smartcard which is revoked in the Certificate Revocation > > > List (CRL) but I can still login. Seams like the CRL check is not > > > performed. > > Any > > > known bug around this? > > > > > > Server setup: > > > - Samba 4.4 on Debian as AD DC > > > - Created domain MYDOM > &g...

...again. > > > > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > > Hi, > > > > I have a smartcard which is revoked in the Certificate Revocation > > > > List (CRL) but I can still login. Seams like the CRL check is not > > > > performed. > > > Any > > > > known bug around this? > > > > > > > > Server setup: > > > > - Samba 4.4 on Debian as AD DC > >...

Hello, this is a little bit off-topic (even if it have to work on CentOS ;-) I'm looking for a tool to manage a small Public Key Infrastructure, with creation/revocation of certificates X.509, export in PKCS#12 format and have the ability to handle CSR (Certificate Signing Request). I've wrote my own script to perform it (openssl command line based): it's a good way to underdstand concepts, but a little bit difficult to maintain and extend... Afte...

...t keys on all of your servers. Then, put that certificate in /etc/ssh/ssh_known_hosts on all your servers. 5) Use the same HostKeys everywhere, and just put those keys in /etc/ssh/ssh_known_hosts using a wildcard for your whole domain (e.g. "*.example.com ssh-rsa AAAAA....."). This makes revocation very difficult (since you need to securely re-key all of your servers). I also saw some discussion recently on this list about storing hostkeys in specialized security hardware. I'm not familiar with how "that stuff" works, but I assume it doesn't scale very well when you ge...

...f revoked keys. This should be fixed by enabling support for the %h, %U, and %u tokens for the `RevokedKeys` directive. See also: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 , which proposes a more powerful but more complicated solution to this issue: allowing `authorized_keys` to specify a revocation list file for each certificate authority key it defines. -- You are receiving this mail because: You are watching the assignee of the bug.

...hink something that presents as smart card login is likely to be the best bet. Smart cards are a pain, but could certainly help with the speed (compared with long complex passwords). The PKINIT stuff is meant to work, certainly worth a play in the lab. The main thing I would want to check on is revocation of the certificates (for when a badge is lost/stolen). We may need to work on that to use some kind of online check or to get Heimdal to re-load the Certificate Revocation list if it doesn't already. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Develo...

Zero matches in both. https://linux.die.net/man/5/sshd_config https://linux.die.net/man/5/ssh_config On Fri, May 25, 2018 at 7:48 AM, Damien Miller <djm at mindrot.org> wrote: > On Fri, 25 May 2018, Yegor Ievlev wrote: > >> Please tell me in technical details how current revocation support >> works, or give links. Then I will be able to give an answer. > > Please search for "revoke" in the ssh_config and sshd_config manual pages. >

Hi Daminan! Hmmm... thought about a little... when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug is compiled in. ssh-keygen --help gives me ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... so... option -z is not the serial of the certificate, it is the version-number of the KRL-File... My openssh-Verision from Debian is

...textLocateCredentials:753 : pkipath=(null) isServer=0 tryUserPkiPath=0 2012-06-26 19:48:53.280+0000: 26051: debug : virNetTLSContextLocateCredentials:825 : Using default TLS CA certificate path 2012-06-26 19:48:53.280+0000: 26051: debug : virNetTLSContextLocateCredentials:831 : Using default TLS CA revocation list path 2012-06-26 19:48:53.280+0000: 26051: debug : virNetTLSContextLocateCredentials:837 : Using default TLS key/certificate path 2012-06-26 19:48:53.306+0000: 26051: debug : virNetClientClose:521 : client=(nil) 2012-06-26 19:48:53.306+0000: 26051: debug : do_open:1254 : network driver 4 r...

...ASignatureAlgorithms option for the client and server configs to allow control over which signature formats are allowed for CAs to sign certificates. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm. * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash. * ssh-keygen(1): allow creation of key revocation lists directly from base64-encoded SHA256 fingerprints. This supports revoking keys using only the information contained in sshd(8) authentication log messages. Bugfixes -----...

...the small letter "g". That key is not affected. The keys denoted with this capital letter "G" should be REVOKED unless you are definitely sure those subkeys were never used to create a signatures with GnuPG >= 1.0.2. How to revoke a key: ==================== To create a revocation certificate for the entire key (primary and all subkeys), you do: gpg --gen-revoke your_keyid >foo.rev If you have lost access to your passphrase, hopefully you have a pre-manufactured revocation certificate (either on a floppy or printed on a sheet of paper) which you may the use instea...

Hi! While reading through PROTOCOL.krl I came across "5. KRL signature sections". If my understanding is correct - and that's basically what I would like to get knocked down for if appropriate ;) - this is a way for SSHDs to ensure they only accept KRLs signed by a trusted CA. However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen? The aforementioned

...ne, The Netfilter coreteam PGP key 0xAB4655A126D292E4 expired on November 17th, 2020. Hence, we have generated a new PGP key 0xD55D978A8A1420E4. For more information, please visit: https://www.netfilter.org/about.html#gpg In accordance with good key management practices, we have also generated a revocation certificates for our old PGP key. The revocation certificate for our old PGP key 0xAB4655A126D292E4 and the new PGP key have also been sent to the public PGP key servers. Thanks.