search for: sshsig

...ons that can't support sha512 from signing messages. An example of this is TPMs which mostly only really supports sha256 widely. This change enables `ssh-keygen -Y sign` to honor the `hashalg` option for the signing algorithm. Signed-off-by: Morten Linderud <morten at linderud.pw> --- sshsig.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sshsig.c b/sshsig.c index 470b286a3..033b43353 100644 --- a/sshsig.c +++ b/sshsig.c @@ -190,8 +190,14 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg, } /* If using RSA keys then default to a good sig...

...rm -f regress/sk-ssh-ed25519 at openssh.com* + rm -f regress/ssh-ed25519* + rm -f regress/ssh_output + rm -f regress/ssh_proxy.bak + rm -f regress/sshd-log-wrapper.sh + rm -f regress/sshd_config_minimal + rm -f regress/sshd_proxy_host_* + rm -f regress/sshsig-agent-sk-ssh-ed25519 at openssh.com* + rm -f regress/sshsig-agent-ssh-ed25519* + rm -f regress/sshsig-sk-ssh-ed25519 at openssh.com* + rm -f regress/sshsig-ssh-ed25519* + rm -f regress/user_* + rm -f regress/wrong-key* + rm -f regress/*agent*.pub + rm -f re...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...challenges for FIDO/U2F keys. When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently public key authentication and sshsig signatures). This prevents ssh-agent forwarding on a host that has FIDO keys attached granting the ability for the remote side to sign challenges for web authentication using those keys too. Note that the converse case of web browsers signing SSH challenges is already precluded bec...

...challenges for FIDO/U2F keys. When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently public key authentication and sshsig signatures). This prevents ssh-agent forwarding on a host that has FIDO keys attached granting the ability for the remote side to sign challenges for web authentication using those keys too. Note that the converse case of web browsers signing SSH challenges is already precluded bec...

On Mon, 21 Sep 2020 at 09:53, Hisashi T Fujinaka <htodd at twofifty.com> wrote: > OK, NetBSD-current amd64, NetBSD-9-amd64, and NetBSD-9-i386 all pass all > tests. MacOS, well, I always try it but it has problems. What's the problem on OS X? We test on it regularly (El Capitan and High Sierra) and the only problem I'm aware of is that the native libcrypto on High Sierra is

...e9612 100644 --- a/Makefile.in +++ b/Makefile.in @@ -136,7 +136,7 @@ SCP_OBJS= scp.o progressmeter.o SSHADD_OBJS= ssh-add.o $(SKOBJS) -SSHAGENT_OBJS= ssh-agent.o ssh-pkcs11-client.o $(SKOBJS) +SSHAGENT_OBJS= ssh-agent.o ssh-pkcs11-client.o ssh-engine.o $(SKOBJS) SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o $(SKOBJS) diff --git a/authfd.c b/authfd.c index 05fd45401..7cd22044e 100644 --- a/authfd.c +++ b/authfd.c @@ -569,6 +569,52 @@ ssh_remove_identity(int sock, struct sshkey *key) return r; } +/* + * Add an engine based identity + */ +int +ssh_add_engine_key(int sock, const char *file, const...

...y_check_revoked(struct sshkey *key, const char *revoked_keys_file); diff --git a/regress/Makefile b/regress/Makefile index 62794d25fc42..ae6f4dd09edc 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -92,7 +92,8 @@ LTESTS= ?? ?connect \ ??? ??? ?allow-deny-users \ ??? ??? ?authinfo \ ??? ??? ?sshsig \ -?? ??? ?keygen-comment +?? ??? ?keygen-comment \ +??????? keygen-private-information ? ? ?INTEROP_TESTS=?? ?putty-transfer putty-ciphers putty-kex conch-ciphers diff --git a/regress/keygen-private-information.sh b/regress/keygen-private-information.sh new file mode 100644 index 000000000000..a99...

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.