similar to: x509v3 certificates in OpenSSH

Hi all, I have pleasure to announce new version f of "X.509 certificates support in OpenSSH" Please to update your bookmarks/favorites with new location: http://roumenpetrov.info/openssh Old location is available too: http://satva.skalasoft.com/~rumen/openssh What's new: * support "Certificate Revocation Lists" (CRLs) * ssh-keyscan can show hostkey with

Hi All, Please visit http://satva.skalasoft.com/~rumen/openssh/ to get new version with support for x509 certificate. - added authorization by 'Distinguished Name'; - added x509 CA store (new options in sshd_config); - client certificate is verified against CA certificates in x509 store; - added shell scripts to create 'Test CA' and test client certificates. Diffs aviable for

I am just finished support for x509 certificate. More information on this page: http://satva.skalasoft.com/~rumen/openssh/

Hello All. As promised, here is what I needed to do to get the regression tests to work on AIX & HPUX. It goes into a bit of detail in the hope that others might be able to get them running on their platforms. I've run these mods on AIX 4.3.3, HP-UX 11.00, Solaris 8, Redhat 7.3 and OpenBSD 3.0. The problems I encountered: * prereqs (pmake, md5sum) * bad directory owner/mode causing auth

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, been trying the x509 patch for ssh from Roumen, it works great. However, I can't figure out couple of things, and been trying to solve it for couple of days already. I'am using OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g with 6.1 version of your patch. The serverside hostkey is configured correctly, to present x509v3-sign-rsa dynowork

Hi All, The version 5.3 of "X.509 certificates support in OpenSSH" is published. This version adds preliminary support for "x509v3-sign-rsa-sha1" and "x509v3-sign-dss-sha1" key type names in conformance with "draft-ietf-secsh-x509-02.txt" and extends "x509v3-sign-dss key type with signatures in "ssh-dss" format. More details on page

Hi All, The version 5.4 of "X.509 certificates support in OpenSSH" is ready for download. On download page http://roumenpetrov.info.localhost/openssh/download.html#get_-5.4 you can found diffs for OpenSSH versions 4.2p1 and 4.3p2. What's new: * given up support for "x509v3-sign-rsa-sha1" and "x509v3-sign-dss-sha1" The implementation realised in previous

On command: #kill -9 `cat /var/run/sshd.pid` sshd leave pid file ! sshd.c code: =============== .... /* * Arrange to restart on SIGHUP. The handler needs * listen_sock. */ signal(SIGHUP, sighup_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); .... =============== Missing line is : signal(SIGKILL, sigterm_handler);

Hi, I am trying to set up OpenSSH with x509 certs and I'm getting nowhere. I've been at this on and off for days and doing all the googling I can but I'm still not making progress so any help would be very much appreciated. I believe the latest OpenSSH builds support x509 certificates - I'm running 5.5 on Ubuntu 10.04. What I want to do is have users on Windows boxes using

Hi, Could anyone pls help by telling me how the DH pubkey from the server (f) is encoded when it is sent back to me? I understand that it comes across as an mpint, but after I decode the mpint into the bytes that make up the number, what does this number represent? Is it a X509 encoded key? Or is it something else? The reason for my question: I am trying to write a ssh client in Java,

Dear List, Regarding the "X509v3 Certificates" patch ... (See links below) - http://marc.info/?l=openssh-unix-dev&m=110976923021961&w=2 - http://marc.info/?l=openssh-unix-dev&m=110973268111830&w=2 - http://roumenpetrov.info/openssh How would I apply this patch to the OpenSSH currently in FreeBSD(.org) and/or PC-BSD(.org)?? Please CC: me on the reply because I

I'm pleased to announce that the version "h"(code-name Validator) of "X.509 certificates support in OpenSSH" is now available for immediate download at http://roumenpetrov.info/openssh. Features: * "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms * certificate verification * certificate validation o CRL o OCSP (optional and

Hi All, Diffs of "X.509v3 certificates support for OpenSSH" versions g4(Compatibility) and h(Validator) for OpenSSH-3.9p1 are ready for download. Please visit "http://roumenpetrov.info/openssh" for more information. Features: * "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms * certificate verification * certificate validation o CRL o

Dear All, X.509 certificates support for OpenSSH version 6.0p1 was published. I brief new version include : - support for Android platform; - engine implementation is now considered stable; - various regression test improvements including fixes for OpenSSL FIPS enabled 1.0.1 stable release and korn shell Yours sincerely, Roumen Petrov -- Get X.509 certificates support in OpenSSH:

Hi Roumen, I discovered that the need of appending the .pub part of id_rsa(client key+cert) on the server can be eliminated by adding the Certificate Blob to authorized_keys which could look something like this: x509v3-sign-rsa subject= /C=FR/ST=PARIS/L=DESEl/O=SSL/OU=VLSI/CN=10.244.82.83/emailAddress=client at company.com This is extracted from the client certificate using openssl as

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

Hello All, As I promised, I've completed and initial patch for openssh PKCS#11 support. The same framework is used also by openvpn. I want to help everyone who assisted during development. This patch is based on the X.509 patch from http://roumenpetrov.info/openssh/ written by Rumen Petrov, supporting PKCS#11 without X.509 looks like a bad idea. *So the first question is: What is the

When is the x.509 patch going to become part of the main distribution of OpenSSH, and if not, why? Looks like other projects i.e. OpenSC might be using it now as well. Secondly, thought I'd try it again, new patch (Validator), same error... TIA, cs ######################## # ssh-x509 Unknown Public Key Type ######################## 1 Installed OpenSSL-0.9.7d (no customization) 2

Folks: Thanks to all who helped me get ssh up and running on my development box. Now I want to make a distribution package to take and install on the rest of my network. I am not sure what to transfer from box to box and what to run to get started. I did the install on the dev box and all tested fine. Is there a "standard distribution" list of only files required for running ssh on

I've seen a variety of patches on the list for supporting the x509v3 certificate authentication. Are there any plans to include any of these in the official openssh? Thanks, Kevin Stefanik