search for: ssh_fp_md5

Hi, I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with FIPS 140-2 OpenSSL. These are based on previously reported patches by Steve Marquess <marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>, for ver. OpenSSH 3.8. Note that these patches are NOT OFFICIAL, and MAY be used freely by anyone. Issues [partially] handled: SSL FIPS Self test. RC4,

...de <openssl/sha.h> + #ifdef OPENSSL_FIPS + #include <openssl/fips.h> + #endif + + /* import */ extern char *client_version_string; extern char *server_version_string; *************** *** 591,597 **** key->type, pktype); goto done; } ! fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); debug2("input_userauth_pk_ok: fp %s", fp); xfree(fp); --- 604,611 ---- key->type, pktype); goto done; } ! fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, ! SSH_FP_HEX); debug2("input_userauth_p...

...------------- next part -------------- *** auth2-pubkey.c.orig Sun Feb 9 12:48:09 2003 --- auth2-pubkey.c Sun Feb 9 19:57:09 2003 *************** *** 183,188 **** --- 183,193 ---- debug("trying public key file %s", file); + /* log public key */ + + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + verbose("Attempt public key authentication for %s with %s key: %s", pw->pw_name, key_type(key), fp); + /* Fail quietly if file does not exist */ if (stat(file, &st) < 0) { /* Restore the privileged uid. */ *************** *** 244,249 **** --- 249,255...

...tinue searching. */ authenticated = 1; + if (options.log_fingerprint) { + Key *auth_key = key_new(KEY_RSA1); + auth_key->rsa->n = pk->n; + auth_key->rsa->e = pk->e; + log("Found matching %s key: %s", + key_type(auth_key), + key_fingerprint(auth_key, SSH_FP_MD5, SSH_FP_HEX)); + key_free(auth_key); + } break; } diff -ruN openssh-3.0.2p1.dist/auth2.c openssh-3.0.2p1/auth2.c --- openssh-3.0.2p1.dist/auth2.c Tue Nov 13 04:46:19 2001 +++ openssh-3.0.2p1/auth2.c Tue Dec 4 14:12:37 2001 @@ -690,8 +690,13 @@ found_key = 0; found = key_new(key->t...

Hi, I don't see any way to view the details of a certificate once it is generated. Having such a capability would be very handy for debugging purposes to check what constraints, principals, and validity interval are associated with a given cert. -- Iain Morgan

...} +#ifdef HAVE_LIBKEYUTIL + if (inkernel) { + u_char *blob; + u_int len; + + xfree(comment); + comment = xmalloc(strlen(filename) + strlen("ssh:") + 1); + sprintf(comment, "ssh:%s", filename); + + fprintf(stderr, "Adding key %s\n", key_fingerprint(private, SSH_FP_MD5, SSH_FP_HEX)); + if (!key_to_blob(private, &blob, &len)) + fatal("key_to_blob: %s\n", filename); + + if (add_key("user", comment, blob, len, KEY_SPEC_USER_SESSION_KEYRING) < 0) + fatal("Failed to add key: %s\n", filename); + + xfree(comment); + key_...

...the loop if authentication was successful; * otherwise continue searching. */ authenticated = 1; + + if (options.log_key_fingerprint == 1) { + Key *k = key_new(KEY_RSA); + RSA *old_rsa = k->rsa; + k->rsa = pk; + snprintf(info,info_size," fp %s",key_fingerprint(k,SSH_FP_MD5,SSH_FP_HEX)); + k->rsa = old_rsa; + key_free(k); + } break; } /* Restore the privileged uid. */ restore_uid(); diff -u5 openssh-3.0.2p1.orig/auth.h openssh-3.0.2p1/auth.h --- openssh-3.0.2p1.orig/auth.h Wed Jul 4 06:46:57 2001 +++ openssh-3.0.2p1/auth.h Tue Jan 29 13:45:29 2002...

https://bugzilla.mindrot.org/show_bug.cgi?id=1765 Summary: Error message if key not first in authorized_keys file Product: Portable OpenSSH Version: 5.5p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

...*/ + if ( strlen(cp) && ( cp[strlen(cp)-1] == '\n' ) ) + cp[strlen(cp)-1] = '\0'; + log("Authorized key '%s' in %s", cp, file); debug("matching key found: file %s, line %lu", file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp);

...0100 +++ openssh-6.2p1-modified/auth2-pubkey.c 2013-06-09 20:07:15.039975210 +0200 @@ -554,7 +554,8 @@ } execl(options.authorized_keys_command, - options.authorized_keys_command, user_pw->pw_name, NULL); + options.authorized_keys_command, user_pw->pw_name, + key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX), NULL); error("AuthorizedKeysCommand %s exec failed: %s", options.authorized_keys_command, strerror(errno)); Does this sound interesting? Thanks, Jason

Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha

...- - if (show_other_keys(host, host_key)) - snprintf(msg1, sizeof(msg1), - "\nbut keys of different type are already" - " known for this host."); - else - snprintf(msg1, sizeof(msg1), "."); - /* The default */ - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - msg2[0] = '\0'; - if (options.verify_host_key_dns) { - if (matching_host_key_dns) - snprintf(msg2, sizeof(msg2), - "Matching host key fingerprint" - " found in DNS.\n"); - else - snprintf(msg2, sizeof(msg2), - &qu...

Hi! I'm pretty sure that this isn't currently supported, so, I'll give it a shot and rather be rtfm-flamed instead of not trying :) Is there any way of logging what line of authorized_keys (and what file) that was used when a user logs in? It would be very nice to have to improve auditing logins of accounts with multiple publickeys. And, if there isn't - Would it be of

...+ 3) + break; + strcat(msg_same_key, "\t"); + strcat(msg_same_key, x->host); + strcat(msg_same_key, "\n"); + } + free_hostlist(keyhosts); + } else { + msg_same_key[0] = '\0'; + } + /* The default */ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); msg2[0] = '\0'; @@ -740,10 +763,11 @@ snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" + "%s" "%s key fingerprint is %s.\n%s" "...

...the same format. They consist of a single +string, containing values separated by semi-colons, in the following order + + fingerprint;caname;identity;options;validfrom;validto;algorithm;signature + +Values must not contain semi-colons or NUL bytes, but may be empty. + +'fingerprint' is the SSH_FP_MD5 SSH_FP_HEX fingerprint of the RSA key signing +the certificate (the CA key), e.g. the output of ssh-keygen -l for +/etc/ssh/ca.pub. + +'caname' is the name of the CA. This can be used to associate certificates with +CAs. The format is not defined, though using domain names is suggested. + +...

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1930 --- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:24 EST --- Retarget unresolved

...comment = cp; + commentlen = strlen(comment); + if (commentlen > 0 && comment[commentlen -1] == '\n') + comment[commentlen - 1] = '\0'; + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); @@ -721,6 +765,9 @@ break; } } + + strncpy(realname, comment, commentlen); + restore_uid(); fc...