search for: roumen

Thanks Roumen. >Lets assume that application use OpenSSL FIPS validated module. FIPS mode is activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. D...

Thanks Roumen. I have few more questions below: 1. What version of OpenSSH can the patch be applied to? What branch should I check out the patch? 2. >Impact is not only for source code. Build process has to be updated as well. Red Hat is based on "fipscheck". What build process should be changed?...

...d into external devices. The implementation is based on openssl dynamic engines. For instance E_NSS engine ( http://developer.berlios.de/projects/enss ) will allow you to use certificates and keys from Firefox, SeaMonkey, Thunderbird security database to authenticate to remote hosts. Regards, Roumen Petrov -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, been trying the x509 patch for ssh from Roumen, it works great. However, I can't figure out couple of things, and been trying to solve it for couple of days already. I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g with 6.1 version of your patch. The serverside hostkey is configured correctly, to present x509v3-sign-rsa dynowork / #...

Hi all, Does anyone know if it exists a patch for OpenSSH for Windows to allow authentication through certificates? Is it possible to make one if it doesn't exists? Using OpenSSH for Windows 3.8p1-1 20040709 Build. I know there is Roumen Petrov patch, but is for unix machines if i'm not mistaken. I need a similar one for Windows that work with the Roumen Petrov patch so i can have authentication through certificates between Windows machine and Linux machine. Any help greatly appreciated, Adriana

If I remove all the export and change all the ' in ", it does work on SCO 3.2v5.0.4 |--------+-----------------------------> | | Roumen Petrov | | | <Roumen.Petrov at skal| | | asoft.com> | | | | | | 21/12/00 13:10 | | | | |--------+-----------------------------> >---------------------...

On command: #kill -9 `cat /var/run/sshd.pid` sshd leave pid file ! sshd.c code: =============== .... /* * Arrange to restart on SIGHUP. The handler needs * listen_sock. */ signal(SIGHUP, sighup_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); .... =============== Missing line is : signal(SIGKILL, sigterm_handler);

Hi Roumen, I discovered that the need of appending the .pub part of id_rsa(client key+cert) on the server can be eliminated by adding the Certificate Blob to authorized_keys which could look something like this: x509v3-sign-rsa subject= /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=c...

...openssl/des.h> # define crypt DES_crypt # endif ... Only above preprocessor statement use defines HAVE_CRYPT and HAVE_DES_CRYPT. Configure script look like ( if with OpenSSL then .... else ... AC_CHECK_FUNCS([crypt DES_crypt]) fi Proposed patch restore previous behavior. Regards, Roumen Petrov -- Get SSH with X.509 certificate support http://roumenpetrov.info/openssh/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-configure.ac-rewrite-check-for-functions-crypt-and-D.patch Type: text/x-diff Size: 971 bytes Desc: not available URL: <h...

Here are a couple of patches against the CVS (Jan 22 18:41 PST) Some C++ comments found their way into ssh.h The no64.patch puts ifdefs around buffer_get_int64() now in bufaux.[c,h] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- ssh.h.old Mon Jan 22 18:40:58 2001 +++ ssh.h Mon Jan 22 19:02:02 2001 @@ -25,8 +25,10 @@ # include

As of Sunday evening, OpenSSH has an interactive sftp client. It should be in the more recent snapshots. It would be appreciated if you could test new client and find all the bugs :) Please also have a read of the manpage and ensure that it matches what is implemented. I am working on fixing the ones that I know about, so please try to stay up to date with the snapshots. Thanks, Damien

Hi, I need to add X.509 Certificate support to OpenSSH. I came across the following post on the openssh-unix-dev mailing list that is very useful: http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2 <http://marc.info/?l=openssh-unix-dev&m=120298135706959&w=2> And also, http://marc.info/?l=openssh-unix-dev&m=104395024824680&w=2

...ct that require SSH server with FIPS and using OpenSSL v3. There is no way to work with OpenSSL v3 due to many reasons. If you like to get FIPS capable secsh implementation compatible with OpenSSL FIPS validated modules 1.2 and 2.0 , RedHat ES, or Oracle Solaris you could use PKIX-SSH. Regards, Roumen Petrov -- Advanced secure shell implementation with X.509 certificate support http://roumenpetrov.info/secsh/

Hi Chris, On 18/10/2023 19:13, Chris Rapier wrote: > Do any of you have a wish list of things you'd like to see in ssh? get Roumen Petrovs pkissh implementation merged and maintained upstream I know this is a huge page with little chances to get accepted, but I'd like to mention this, because it has been on my personal wish list for a long time. Sure, I can install pkissh, but if it were upstream, another 5-10 years la...

...l, The file ~/.ssh/environment is used by ssh daemon. Since sshd sets up basic environment I guess that sentences in ssh(1) that reference the file ~/.ssh/environment and environment variables should be moved to sshd(8). Wim, could you check why anonymous CVS require password, please? Regards, Roumen Petrov

Hi All, The version 5.5.1 of "X.509 certificates support in OpenSSH" is ready for download. On download page http://roumenpetrov.info.localhost/openssh/download.html#get_-5.5.1 you can found diff for OpenSSH versions 4.4p1. What's new: * specific diff of 5.5 for OpenSSH 4.4p1 Because of OpenSSH source code changes, like include statements and new server option "Match", X.509 certificate support sp...

Makefile.in is not fixed ! in old ssh.h # define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" in new pathnames.h #define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" but in Makefile.in PATHS=...-DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" ----------------------------------------------------------- about patch: - remove unused defines:

http://bugzilla.mindrot.org/show_bug.cgi?id=1346 Summary: PAM environment takes precedence over SendEnv Product: Portable OpenSSH Version: 4.6p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy:

...ointed to with CACertificateFile in sshd_config. In the authorized_keys I've got: x509v3-sign-rsa subject= /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN ie. the DN of the ROOT CA certificate - should this instead be the issuing CA? Generally any pointers would be very helpful, I've found Roumen Petrovs patches and read some of his stuff but I find it a bit difficult to follow and in any case I'm not sure how relevant his implementation is to the mainline openssh 5.4/5.5 x509. Thanks Paul

...support for OpenSSH version 6.0p1 was published. I brief new version include : - support for Android platform; - engine implementation is now considered stable; - various regression test improvements including fixes for OpenSSL FIPS enabled 1.0.1 stable release and korn shell Yours sincerely, Roumen Petrov -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/