Displaying 20 results from an estimated 127 matches for "revocation".
Did you mean:
relocation
2024 Jan 24
1
[Bug 3659] New: Certificates are ignored when listing revoked items in a (binary) revocation list
https://bugzilla.mindrot.org/show_bug.cgi?id=3659
Bug ID: 3659
Summary: Certificates are ignored when listing revoked items in
a (binary) revocation list
Product: Portable OpenSSH
Version: 9.2p1
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: webmaste...
2018 May 25
3
Suggestion: Deprecate SSH certificates and move to X.509 certificates
Please tell me in technical details how current revocation support
works, or give links. Then I will be able to give an answer.
On Fri, May 25, 2018 at 7:16 AM, Damien Miller <djm at mindrot.org> wrote:
>
>
> On Fri, 25 May 2018, Yegor Ievlev wrote:
>
>> Can you implement revocation support?
>
> What do you want that the exis...
2017 Sep 21
2
Revocation with CRL doesn't work for smartcards
Hi,
I have a smartcard which is revoked in the Certificate Revocation List
(CRL) but I can still login. Seams like the CRL check is not performed. Any
known bug around this?
Server setup:
- Samba 4.4 on Debian as AD DC
- Created domain MYDOM
- smb.conf (extract):
tls enabled = yes
tls crlfile = tls/mycrl.pem (default is to look under private/ folder)
Client...
2009 Nov 04
2
Certificates Revocation Lists and Apache...
Hi,
already asked in the openssl mailing list, but just in case you already went through this...
I need a little help with Certificate Revocation Lists.
I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
I have a "CA" that is signing a "CA SSL".
Then, the "CA SSL" is signing the clients certificates.
Now, I am tes...
2014 Dec 22
4
[Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2328
Bug ID: 2328
Summary: Per-user certificate revocation list (CRL) in
authorized_keys
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned...
2017 Sep 21
2
Revocation with CRL doesn't work for smartcards
...too. Not sure I put it in [kdc] section
though, I can try again.
Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>:
> On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > Hi,
> > I have a smartcard which is revoked in the Certificate Revocation List
> > (CRL) but I can still login. Seams like the CRL check is not performed.
> Any
> > known bug around this?
> >
> > Server setup:
> > - Samba 4.4 on Debian as AD DC
> > - Created domain MYDOM
> > - smb.conf (extract):
> > tls enabled = ye...
2018 May 25
2
Suggestion: Deprecate SSH certificates and move to X.509 certificates
Can you implement revocation support?
On Fri, May 25, 2018 at 6:55 AM, Damien Miller <djm at mindrot.org> wrote:
> No way, sorry.
>
> The OpenSSH certificate format was significantly motivated by X.509's
> syntactic and semantic complexity, and the consequent attack surface in
> the sensitive pre-auth...
2017 Sep 21
0
Revocation with CRL doesn't work for smartcards
...t; section though, I can try again.
>
> Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>:
>
> > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > > Hi,
> > > I have a smartcard which is revoked in the Certificate Revocation
> > > List (CRL) but I can still login. Seams like the CRL check is not
> > > performed.
> > Any
> > > known bug around this?
> > >
> > > Server setup:
> > > - Samba 4.4 on Debian as AD DC
> > > - Created domain MYDOM
> > &g...
2017 Sep 22
2
Revocation with CRL doesn't work for smartcards
...again.
> >
> > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>:
> >
> > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote:
> > > > Hi,
> > > > I have a smartcard which is revoked in the Certificate Revocation
> > > > List (CRL) but I can still login. Seams like the CRL check is not
> > > > performed.
> > > Any
> > > > known bug around this?
> > > >
> > > > Server setup:
> > > > - Samba 4.4 on Debian as AD DC
> > >...
2007 Jan 29
3
tool to manage a PKI
Hello,
this is a little bit off-topic (even if it have to work on CentOS ;-)
I'm looking for a tool to manage a small Public Key Infrastructure, with
creation/revocation of certificates X.509, export in PKCS#12 format and
have the ability to handle CSR (Certificate Signing Request).
I've wrote my own script to perform it (openssl command line based):
it's a good way to underdstand concepts, but a little bit difficult to
maintain and extend...
After goo...
2013 Jan 16
2
HostKey Management
...t keys on all of your servers.
Then, put that certificate in /etc/ssh/ssh_known_hosts on all your servers.
5) Use the same HostKeys everywhere, and just put those keys in
/etc/ssh/ssh_known_hosts using a wildcard for your whole domain (e.g.
"*.example.com ssh-rsa AAAAA....."). This makes revocation very
difficult (since you need to securely re-key all of your servers).
I also saw some discussion recently on this list about storing hostkeys
in specialized security hardware. I'm not familiar with how "that stuff"
works, but I assume it doesn't scale very well when you get up...
2020 Aug 28
2
[Bug 3204] New: Enable user-relative revoked keys files
...f revoked
keys.
This should be fixed by enabling support for the %h, %U, and %u tokens
for the `RevokedKeys` directive.
See also: https://bugzilla.mindrot.org/show_bug.cgi?id=2328 , which
proposes a more powerful but more complicated solution to this issue:
allowing `authorized_keys` to specify a revocation list file for each
certificate authority key it defines.
--
You are receiving this mail because:
You are watching the assignee of the bug.
2018 Mar 19
2
Your advices regarding authentication methods compatible with S4
...hink something that presents as smart card login is likely to
be the best bet. Smart cards are a pain, but could certainly help with
the speed (compared with long complex passwords).
The PKINIT stuff is meant to work, certainly worth a play in the lab.
The main thing I would want to check on is revocation of the
certificates (for when a badge is lost/stolen). We may need to work
on that to use some kind of online check or to get Heimdal to re-load
the Certificate Revocation list if it doesn't already.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer,...
2018 May 25
4
Suggestion: Deprecate SSH certificates and move to X.509 certificates
Zero matches in both.
https://linux.die.net/man/5/sshd_config
https://linux.die.net/man/5/ssh_config
On Fri, May 25, 2018 at 7:48 AM, Damien Miller <djm at mindrot.org> wrote:
> On Fri, 25 May 2018, Yegor Ievlev wrote:
>
>> Please tell me in technical details how current revocation support
>> works, or give links. Then I will be able to give an answer.
>
> Please search for "revoke" in the ssh_config and sshd_config manual pages.
>
2019 Sep 16
2
revoking ssh-cert.pub with serial revokes also younger certs
Hi Daminan!
Hmmm... thought about a little...
when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug
is compiled in.
ssh-keygen --help gives me
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ...
so... option -z is not the serial of the certificate, it is the
version-number of the KRL-File...
My openssh-Verision from Debian is
2012 Jun 27
0
Trouble connecting to XenServer HyperVisor with Java bindings
...textLocateCredentials:753 : pkipath=(null) isServer=0
tryUserPkiPath=0
2012-06-26 19:48:53.280+0000: 26051: debug :
virNetTLSContextLocateCredentials:825 : Using default TLS CA certificate
path
2012-06-26 19:48:53.280+0000: 26051: debug :
virNetTLSContextLocateCredentials:831 : Using default TLS CA revocation
list path
2012-06-26 19:48:53.280+0000: 26051: debug :
virNetTLSContextLocateCredentials:837 : Using default TLS key/certificate
path
2012-06-26 19:48:53.306+0000: 26051: debug : virNetClientClose:521 :
client=(nil)
2012-06-26 19:48:53.306+0000: 26051: debug : do_open:1254 : network driver
4 remote...
2018 Oct 19
0
Announce: OpenSSH 7.9 released
...ASignatureAlgorithms option for the
client and server configs to allow control over which signature
formats are allowed for CAs to sign certificates. For example,
this allows banning CAs that sign certificates using the RSA-SHA1
signature algorithm.
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
revoke keys specified by SHA256 hash.
* ssh-keygen(1): allow creation of key revocation lists directly
from base64-encoded SHA256 fingerprints. This supports revoking
keys using only the information contained in sshd(8)
authentication log messages.
Bugfixes
--------...
2003 Nov 27
0
[Announce] GnuPG's ElGamal signing keys compromised
...the small letter
"g". That key is not affected.
The keys denoted with this capital letter "G" should be REVOKED unless
you are definitely sure those subkeys were never used to create a
signatures with GnuPG >= 1.0.2.
How to revoke a key:
====================
To create a revocation certificate for the entire key (primary and
all subkeys), you do:
gpg --gen-revoke your_keyid >foo.rev
If you have lost access to your passphrase, hopefully you have a
pre-manufactured revocation certificate (either on a floppy or printed
on a sheet of paper) which you may the use instead of...
2019 Feb 04
3
Signing KRLs?
Hi!
While reading through PROTOCOL.krl I came across "5. KRL signature sections".
If my understanding is correct - and that's basically what I would like to
get knocked down for if appropriate ;) - this is a way for SSHDs to ensure
they only accept KRLs signed by a trusted CA.
However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen?
The aforementioned
2020 Oct 27
0
[UPDATES] Renewing Netfilter coreteam PGP keys
...ne,
The Netfilter coreteam PGP key 0xAB4655A126D292E4 expired on
November 17th, 2020. Hence, we have generated a new PGP key
0xD55D978A8A1420E4. For more information, please visit:
https://www.netfilter.org/about.html#gpg
In accordance with good key management practices, we have also generated
a revocation certificates for our old PGP key. The revocation
certificate for our old PGP key 0xAB4655A126D292E4 and the new PGP key
have also been sent to the public PGP key servers.
Thanks.