search for: ssh_err

...= monotime() + 1; @@ -492,7 +492,7 @@ server_alive_check(struct ssh *ssh) (r = sshpkt_put_cstring(ssh, "keepalive at openssh.com")) != 0 || (r = sshpkt_put_u8(ssh, 1)) != 0 || /* boolean: want reply */ (r = sshpkt_send(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal("%s: send packet: %s", __func__, ssh_err(r)); /* Insert an empty placeholder to maintain ordering */ client_register_global_confirm(NULL, NULL); } @@ -1035,7 +1035,7 @@ process_escapes(struct ssh *ssh, Channel *c, channel_request_start(ssh, c->self, "break&...

...ike: if ((r = sshbuf_get_string(e->request, &blob, &blen)) != 0 || (r = sshbuf_get_string(e->request, &data, &dlen)) != 0 || (r = sshbuf_get_u32(e->request, &flags)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (flags & SSH_AGENT_OLD_SIGNATURE) compat = SSH_BUG_SIGBLOB; if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { error("%s: cannot parse key blob: %s", __func__, ssh_err(r)); goto send; } However, in...

OK, with this additional information I can now reproduce it. Based on some quick experiments it seems to be triggered when sshd is built --with-ssh1 and the config does not *load* a Protocol 1 host key. Works: Protocol=1,2 + Hostkey not specified Protocol=1,2 + Hostkeys for both protocols specified. Doesn't work: Protocol=2 + Hostkey not specified. Protocol=1,2 + Hostkeys specified only for

...4 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -917,11 +917,7 @@ fingerprint_private(const char *path) ???? ??? fatal("%s: %s", path, strerror(errno)); ???? if ((r = sshkey_load_public(path, &public, &comment)) != 0) { ???? ??? debug("load public \"%s\": %s", path, ssh_err(r)); -??? ??? if ((r = sshkey_load_private(path, NULL, -??? ??? ??? &public, &comment)) != 0) { -??? ??? ??? debug("load private \"%s\": %s", path, ssh_err(r)); -??? ??? ??? fatal("%s is not a key file.", path); -??? ??? } +??? ??? fatal("%s is not a key f...

...-sshkey_load_private(const char *filename, const char *passphrase, - struct sshkey **keyp, char **commentp) -{ - struct sshbuf *buffer = NULL; - int r, fd; - - if (keyp != NULL) - *keyp = NULL; - if (commentp != NULL) - *commentp = NULL; - - if ((fd = open(filename, O_RDONLY)) == -1) - return SSH_ERR_SYSTEM_ERROR; - if (sshkey_perm_ok(fd, filename) != 0) { - r = SSH_ERR_KEY_BAD_PERMISSIONS; - goto out; - } - - if ((buffer = sshbuf_new()) == NULL) { - r = SSH_ERR_ALLOC_FAIL; - goto out; - } - if ((r = sshkey_load_file(fd, buffer)) != 0 || - (r = sshkey_parse_private_fileblob(buffer, pass...

I hacked zstd support into OpenSSH a while ago and just started to clean it up in the recent days. The cleanup includes configuration support among other things that I did not have. During testing I noticed the following differences compared to zlib: - highly interactive shell output (as in refreshed at a _very_ high rate) may result in higher bandwidth compared to zlib. Since zstd is quicker

On Mon, 17 Aug 2015, Todd C. Miller wrote: > I like the idea but tilde_expand_filename() calls fatal() if it > cannot resolve ~foo. This is not terrible when using -L and -R on > the normal command line but it seems pretty harsh to exit when -L > or -R are used via the ~C escape or the streamlocal-forward at openssh.com > request. > Message-Id: <aea6cdc1d1b42d07 at

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

I added ZSTD support to OpenSSH roughly over a year and I've been playing with it ever since. The nice part is that ZSTD achieves reasonable compression (like zlib) but consumes little CPU so it is unlikely that compression becomes the bottle neck of a transfer. The compression overhead (CPU) is negligible even when uncompressed data is tunneled over the SSH connection (SOCKS proxy, port

...+180,49 @@ delete_all(int agent_fd) } static int +add_certificate_only(int agent_fd, const char *filename) +{ + struct sshkey *cert = NULL; + char *comment = NULL; + int r, ret = -1; + + /* Load certificate */ + if ((r = sshkey_load_public(filename, &cert, &comment)) != 0) { + if (r != SSH_ERR_SYSTEM_ERROR || errno != ENOENT) + error("Failed to load certificate \"%s\": %s", + filename, ssh_err(r)); + goto out; + } + if (!sshkey_is_cert(cert)) { + error("Not a certificate: %s", filename); + goto out; + } + + /* Add empty private key fields f...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

Hi, Patch attached for $SUBJECT. ismail

...124,6 +124,8 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase, ??? ??? ?*keyp = NULL; ??? ?if (commentp != NULL) ??? ??? ?*commentp = NULL; +?? ?if (vault_infop != NULL) +?? ??? ?*vault_infop = NULL; ? ??? ?if ((fd = open(filename, O_RDONLY)) == -1) ??? ??? ?return SSH_ERR_SYSTEM_ERROR; @@ -132,7 +134,7 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase, ??? ?if (r != 0) ??? ??? ?goto out; ? -?? ?r = sshkey_load_private_type_fd(fd, type, passphrase, keyp, commentp); +?? ?r = sshkey_load_private_type_fd(fd, type, passphrase, keyp, comme...

On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote: > On Sun, 4 Oct 2020, Damien Miller wrote: > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > Does your configuration override CheckHostIP at all? No. > > > > What are the known_hosts entries for the hostname and IP? > > Also, do you use HashKnownHosts? or do

...new failed", __func__); > if ((r = sshkey_froms(e->request, &key)) != 0 || > (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 || > - (r = sshbuf_get_u32(e->request, &flags)) != 0) > - fatal("%s: buffer error: %s", __func__, ssh_err(r)); > + (r = sshbuf_get_u32(e->request, &flags)) != 0) { > + error("%s: couldn't parse request: %s", __func__, ssh_err(r)); > + goto send; > + } > + > if (flags & SSH_AGENT_OLD_SIGNATURE) > compat = SSH_BUG_SIGBLOB; > if ((id = lookup_iden...

...t->st_nlink = a->nlink; + } + } } /* Decode attributes in buffer */ @@ -138,6 +148,15 @@ return r; debug3("Got file attribute \"%.100s\" len %zu", type, dlen); + if (strcmp(type, SFTP_EXT_ATTR_LINK_COUNT) == 0) { + if (dlen < 8) { + return SSH_ERR_MESSAGE_INCOMPLETE; + free(type); + free(data); + } + a->has_nlink = 1; + a->nlink = PEEK_U64(data); + } free(type); free(data); } @@ -170,6 +189,24 @@ if ((r = sshbuf_put_u32(b, a->atime)) != 0 || (r = sshbuf_put_u32(b, a->mtime)) != 0) retur...

In sshconnect.c there are two global variables for server_version_string client_version_string. These are used just in a few functions and can easily be passed as parameters. Also, there is a strange construct, where their memory is allocated to the global pointers, then copies of these pointers are assigned to the kex structure. The kex_free finally frees them via cleanup of the kex

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

Hi, OpenSSH 8.0p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

..., + const char *pin, u_int lifetime, u_int confirm, + u_int maxsign) +{ + struct sshbuf *msg; + int r, constrained = (lifetime || confirm); + u_char type = constrained ? SSH_AGENTC_ADD_ENGINE_KEY_CONSTRAINED : + SSH_AGENTC_ADD_ENGINE_KEY; + + msg = sshbuf_new(); + if (!msg) + return SSH_ERR_ALLOC_FAIL; + r = sshbuf_put_u8(msg, type); + if (r) + goto out; + r = sshbuf_put_cstring(msg, engine); + if (r) + goto out; + r = sshbuf_put_cstring(msg, file); + if (r) + goto out; + r = sshbuf_put_cstring(msg, pin); + if (r) + goto out; + if (constrained) { + r = encode_constraints(msg, lif...