search for: sshkey_is_cert

https://bugzilla.mindrot.org/show_bug.cgi?id=2686 Bug ID: 2686 Summary: SSHD segfaults when trying to load RSA1 host keys Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: sshd

...+ int r, ret = -1; + + /* Load certificate */ + if ((r = sshkey_load_public(filename, &cert, &comment)) != 0) { + if (r != SSH_ERR_SYSTEM_ERROR || errno != ENOENT) + error("Failed to load certificate \"%s\": %s", + filename, ssh_err(r)); + goto out; + } + if (!sshkey_is_cert(cert)) { + error("Not a certificate: %s", filename); + goto out; + } + + /* Add empty private key fields for serialization */ + if ((r = sshkey_add_private(cert)) != 0) + goto out; + + if ((r = ssh_add_identity_constrained(agent_fd, cert, comment, + lifetime, confirm)) != 0)...

...diff --git a/hostfile.c b/hostfile.c index c5669c703..462ed8357 100644 --- a/hostfile.c +++ b/hostfile.c @@ -437,12 +437,15 @@ static int write_host_entry(FILE *f, const char *host, const char *ip, const struct sshkey *key, int store_hash) { - int r, success = 0; + int r, success = 0, cert = sshkey_is_cert(key); char *hashed_host = NULL, *lhost; lhost = xstrdup(host); lowercase(lhost); + if (cert) + fprintf(f, "%s ", CA_MARKER); + if (store_hash) { if ((hashed_host = host_hash(lhost, NULL, 0)) == NULL) { error_f("host_hash failed"); @@ -457,7 +460,9 @@ write_ho...

...Please give the attached patch a try. -d -------------- next part -------------- diff --git a/auth2-hostbased.c b/auth2-hostbased.c index e221417..0227d8e 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -212,8 +212,16 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, if (sshkey_is_cert(key) && sshkey_cert_check_authority_now(key, 1, 0, 0, lookup, &reason)) { - error("%s", reason); - auth_debug_add("%s", reason); + if ((fp = sshkey_fingerprint(key->cert->signature_key, + options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) + fat...

On 4/5/25 15:01, Lars Nood?n wrote: > I notice that when using log level INFO it seems sshd(8) provides very > little information about failed SSH certificate log in attempts: > > Apr? 5 14:44:41 server sshd-session[51695]: error: Certificate invalid: > not yet valid > > Apr? 5 14:45:31 server sshd-session[88953]: error: Certificate invalid: > expired > >

Hello. I am trying to play through the following test scenario about certificate revocation on Ubuntu 18.04, which has OpenSSH of this version: OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n? 7 Dec 2017 1. A CA key is created ssh-keygen -t ed25519 -f ca 2. The CA public key is added to ~/.ssh/authorized_keys on some server: cert-authority ssh-ed25519 AAAA...e ca at yoga 3. A user key is created on a

https://bugzilla.mindrot.org/show_bug.cgi?id=2642 Bug ID: 2642 Summary: [sshconnect2] publickey authentication only properly works if used first: pubkey_prepare doesn't work after pubkey_cleanup Product: Portable OpenSSH Version: 7.3p1 Hardware: amd64 OS: Linux Status:

Hi, OpenSSH 7.7p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at