similar to: Update of SRP patch

This is the 2nd beta release of SRP for OpenSSH. The patch attached to this message is relative to the current (20010411) CVS sources of OpenSSH-portable (2.5.4p1). A tarball is also available: http://members.tripod.com/professor_tom/archives/ http://members.tripod.com/professor_tom/archives/openssh-2.5.4p1-srp6.tar.gz (Note: Tripod requires you to LEFT click on links to download files, and

On Sun, 29 Apr 2001, RJ Atkinson wrote: > At 06:26 27/04/01, Tom Wu wrote: > >For those of you who were following the discussion about the new draft > >and implementation of SRP-based password authentication in OpenSSH, I > >promised to have Stanford issue the IETF an official, explicit, > >statement reiterating the unencumbered royalty-free licensing terms. > >The

This is to announce the availability of SRP (Secure Remote Password) support for OpenSSH. A tarball is available on Tripod: http://members.tripod.com/professor_tom/archives/ http://members.tripod.com/professor_tom/archives/openssh-2.5.2p2-srp5.tar.gz (Note: Tripod requires you to LEFT click on links to download files.) To install, unpack, configure --with-srp, and make install, then create an

The way things are now, input_userauth_request() calls the authmethod, and then does a bunch of checks, like the special case for root. If an authmethod requires a challenge-response conversation, these checks are skipped, unless they are duplicated by the authmethod. For example, in auth2-chall.c, some of the code is duplicated (logging, sending the reply), but the root special case is skipped.

I noticed that (perhaps because ':' is invalid in a username) you can say ssh -l user:style host, where the "user:style" is sent by the client, and the server strips the ":style" part off and makes it available as part of the authentication context. It's currently unused. What are the plans for this, if any? I was experimenting with the idea of using it with SRP

Correct me if I'm wrong, but init_rng() in entropy.c doesn't call seed_rng(), and in fact seed_rng() isn't called from _anywhere_ (in openssh-2.5.1p2). So calls to BN_rand() only pick up the tiny/non-existent amount of entropy added by BN_rand() itself from the system clock (time in seconds). Shouldn't seed_rng() be called from init_rng()? It should be called from _somewhere_,

Does anybody use openbsd-compat/vis.c? Not at the moment I think: % find . -name '*.[ch]' -exec grep -l "vis *(" {} \; ./openbsd-compat/vis.c ./openbsd-compat/vis.h % find . -name '*.[ch]' -exec grep -l VIS_ {} \; ./includes.h ./openbsd-compat/vis.c ./openbsd-compat/vis.h The reason I ask is, AT&T's graphviz package includes a vis.h, and when I try to compile

The latest snapshot (20020324) fails to compile here. Linux 2.4.18-rc1 Alpha The first messages are: monitor_wrap.c: In function `mm_request_receive': monitor_wrap.c:91: warning: int format, different type arg (arg 3) monitor_wrap.c:100: warning: int format, different type arg (arg 3) which have to do with fatal() calls and int not being the same as ssize_t... But the next one is the

This is a Linux/Alpha system, with AT&T's graphviz suite installed. gcc -O2 -Wall -I. -I. -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -DHAVE_CONFIG_H -c atomicio.c In file included

Hello all Support for Secure Remote Password (SRP) for OpenSSH was last discussed in 2004: http://marc.info/?l=openssh-unix-dev&w=2&r=1&s=SRP&q=b There's a SRP patch for OpenSSL that's about 2 years in the making: http://rt.openssl.org/Ticket/Display.html?id=1794 Tom Wu from Stanford has been working on that. Has anything changed since 2004 that would make inclusion

Dear members. I'm looking for best practice for administration Infiniband SRP volume with libvirt (virsh) How to manage these volumes? * SRP Disk is /dev/disk/by-id/scsi-2766f6c3030303037 or /dev/sdi Now I edited guest domain file with ``virsh edit XXXX'' command and append the following lines. <disk type='block' device='disk'>

For those of you who were following the discussion about the new draft and implementation of SRP-based password authentication in OpenSSH, I promised to have Stanford issue the IETF an official, explicit, statement reiterating the unencumbered royalty-free licensing terms. The new statement is now available from the IETF's IPR page. Tom

Are there any plans to include support for SRP or a similar zero-knowledge password protocol into OpenSSH? -- Jeremy

Just wondering if there were any plans to integrate SRP support into OpenSSH. And if there aren't would a patch be accepted that would enable such. And if so could anyone give me a couple of pointers as to where the authentication code goes. Edward Flick

G'day, First off, I'm not subscribed to the list, so if there are any responses that should be directed to me, feel free to CC me in :) The below url is an updated patch of Professor Tom's earlier SRP patches for SSH. The only things changed was so that it would compile on a newer openssh version. For more information regarding SRP, see http://srp.stanford.edu This isn't

Hello - got a small wishlist item here: The currently available LogLevel settings (according to the man page) are: QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. Using "INFO" causes messages about RSA key re-generation to appear in the auth logs. However using the next-lower LogLevel of "ERROR" causes client IP and port to not be reported in the auth logs. I was hoping for

fyi http://wwwcip.informatik.uni-erlangen.de/~msfriedl/openssh/TODO

I just joined the list, and I see in the archives that about a month ago there was a brief discussion of SRP, but it was dismissed. I urge people to take a look at this site: http://srp.stanford.edu/srp/ It's very cool. Let's say I'm on vacation visiting a friend, and I want to log in to my account back home. I trust my friend's machine, but I don't have my home

>Simply stated, SRP is a strong password authentication protocol that >resists passive/active network attack, and when used in conjunction with >OpenSSH, solves the "unknown host key" problem without requiring host >key fingerprint verification or PKI deployment (e.g. X.509 certs). Put >another way, is there any good reason *not* to fold these patches into >OpenSSH

In message <Pine.LNX.4.30.0104031615270.8678-100000 at holly.crl.go.jp>, Tom Holro yd writes: >SRP has different requirements from Diffie-Hellman. In particular, >for SRP the generator must be primitive. It turns out that the "primes" >file contains only safe primes with primitive generators, and is thus >ideal for SRP, but so far in OpenSSH it has only been used for