search for: revokedkey

Displaying 18 results from an estimated 18 matches for "revokedkey".

Did you mean: revokedkeys
2020 Aug 28
2
[Bug 3204] New: Enable user-relative revoked keys files
...OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: macdjord at gmail.com The `AuthorizedKeysFile` directive supports the %h, %U, and %u tokens, but the `RevokedKeys` directive does not. Thus it is possible to grant individual users the ability to add authorized login keys (and indeed this is the default with `.ssh/authorized_keys`), including authorized certificate authorities using the `cert-authority` option, but there is no way to grant them the ability to...
2020 Jan 30
6
SSH certificates - restricting to host groups
On 30/01/2020 15:02, Christian, Mark wrote: > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: >> As a concrete example: I want Alice to be able to login as "alice" >> and >> "www" to machines in group "webserver" (only). Also, I want Bob to >> be >> able to login as "bob" and "www" to machines in group
2015 Feb 19
2
[Bug 2353] New: options allowed for Match blocks missing form documentation
...indrot.org Reporter: calestyo at scientia.net Hi. AFAIU such options which are allowed for Match blocks are marked with "SSHCFG_ALL" in servconf.c. Going through the list, a number of the is apparently allowed but missing from sshd_config(5): AllowStreamLocalForwarding IPQoS RevokedKeys StreamLocalBindMask StreamLocalBindUnlink TrustedUserCAKeys Could you please add these? I'd have written a patch, but since all my pull requests are apparently generally ignored it's probably just a waste of time :( Cheers, Chris. -- You are receiving this mail because: You are watch...
2013 Sep 25
0
CA Signed Public Key User Authentication does not honor ~/.ssh/authorized_keys
Greetings, I am using OpenSSH Signed Public Key authentication for servers ssh login. All of the servers are setup with below sshd_config options: TrustedUserCAKeys /etc/ssh/ca.pub # CA Public Keys RevokedKeys /etc/ssh/revoke.pub # User Public Keys When i started working on it, for ssh authentication i had to have CA Public Key in User ~/.ssh/authorized_keys, like: cert-authority ssh-rsa <user_key> <user_name> But, now i am able to login without having CA Public Key in User ' ~/.ssh/...
2014 Dec 22
4
[Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Bug ID: 2328 Summary: Per-user certificate revocation list (CRL) in authorized_keys Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd
2015 Apr 15
6
[Bug 2382] New: option to disable pid file with sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2382 Bug ID: 2382 Summary: option to disable pid file with sshd Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at
2020 Jan 31
2
SSH certificates - restricting to host groups
...eeping track of all issued certs in searchable data store to be able to properly map logins to personal user accounts during an audit. > However, when alice is no longer authorized, and assuming her cert is > still valid, you're going to want to use some configuration mgmt to > manage RevokedKeys, otherwise ensure that alice's cert is valid for a > short period of time. Again this requires to keep track of issued certs which need revocation in case the authorization changes. Sounds too complicated to me. => Use a decent user management (not config management) for managing autho...
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
...ot;ciphers", sCiphers, SSHCFG_ALL }, + { "macs", sMacs, SSHCFG_ALL }, { "protocol", sProtocol, SSHCFG_GLOBAL }, { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL }, @@ -427,7 +427,7 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "kexalgorithms", sKexAlgorithms,...
2013 Mar 22
4
Announce: OpenSSH 6.2 released
...dded support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in...
2013 Mar 22
0
Announce: OpenSSH 6.2 released
...dded support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in...
2015 Jul 01
0
Announce: OpenSSH 6.9 released
...hd(8): correctly record login when UseLogin is set; bz#378 * sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346 * Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288) * ssh(1): include remote username in debug output; bz#2368 * sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message (hostkeys-00 at openssh.com) * sshd...
2020 Feb 10
6
question about pubkey and passphrase
Hi folks, Since Docker can bind-mount every .ssh directory I am looking for some way to forbid unprotected private keys. AFAICS it is currently not possible on the sshd to verify that the peer's private key was protected by a passphrase. Can you confirm? Regards Harri
2018 Sep 06
4
Some wishes regarding revoked keys
.... The SHA256 hash is useless, because (at least according to the documentation) "ssh-keygen -k" only accepts SHA1 hashes. So let's try the ID. echo 'id: user' | ssh-keygen -k -f revoked_keys -s ca /dev/stdin OK, after transferring the result to the server and setting the RevokedKeys option in sshd_config, it works. But, as an admin, I would also like to revoke the key itself (not only the certificate) where I can. And I don't have any information to do so - is it because my wish is something unreasonable? If my wish is reasonable, please, in the next versions of OpenS...
2010 Mar 08
0
Announce: OpenSSH 5.4 released
...tdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618 * Add the ability to revoke keys in sshd(8) and ssh(1). User keys may be revoked using a new sshd_config(5) option "RevokedKeys". Host keys are revoked through known_hosts (details in the sshd(8) man page). Revoked keys cannot be used for user or host authentication and will trigger a warning if used. * Rewrite the ssh(1) multiplexing support to support non-blocking operation of the mux master, improve t...
2015 Jul 01
5
Announce: OpenSSH 6.9 released
...hd(8): correctly record login when UseLogin is set; bz#378 * sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346 * Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288) * ssh(1): include remote username in debug output; bz#2368 * sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message (hostkeys-00 at openssh.com) * sshd...
2010 Mar 08
1
Announce: OpenSSH 5.4 released
...tdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618 * Add the ability to revoke keys in sshd(8) and ssh(1). User keys may be revoked using a new sshd_config(5) option "RevokedKeys". Host keys are revoked through known_hosts (details in the sshd(8) man page). Revoked keys cannot be used for user or host authentication and will trigger a warning if used. * Rewrite the ssh(1) multiplexing support to support non-blocking operation of the mux master, improve t...
2013 Feb 26
16
Call for testing: OpenSSH-6.2
...dded support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in...
2015 May 29
16
Call for testing: OpenSSH 6.9
...hd(8): correctly record login when UseLogin is set; bz#378 * sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346 * Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288) * ssh(1): include remote username in debug output; bz#2368 * sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message (hostkeys-00 at openssh.com) * sshd...