similar to: Pending OpenSSH release, call for testing.

(was: "Re: Pending OpenSSH release, call for testing", topic drift at its finest :-) Markus Moeller wrote: > Douglas, > > OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are fine for me too. Does GSS_C_NO_NAME relate to this bug (addressless tickets)? http://bugzilla.mindrot.org/show_bug.cgi?id=488 BTW, I opened a bug the the multihomed thing a couple of

Thomas Calderon <calderon.thomas at gmail.com> writes: > Hi, > > There is no need to add new mechanism identifiers to use specific curves. > > This can be done already using the CKM_ECDSA mechanism parameters (see > CKA_ECDSA_PARAMS > in the standard). > Given that the underlying HW or SW tokens supports Ed25519 curves, then you > could leverage it even with

On 10/8/2015 4:49 AM, Simon Josefsson wrote: > Mathias Brossard <mathias at brossard.org> writes: > >> Hi, >> >> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >> support of ssh-agent which will be of interest to other users. > > Nice! What would it take to add support for Ed25519 too? Do we need to > allocate any new PKCS#11

Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for

I have not looked at Kerberos is years. But it looks like KRB5CCNAME comes from: https://github.com/openssh/openssh-portable/blob/master/gss-serv-krb5.c#L134-L197 But it depends on which version of Kerberos you have, and if you are also use PAM. Google for: heimdal kerberos cache name It looks like there is now a SSSD Kerberos Cache Manager rather then storing in individual file. On 6/11/2024

On Jan 17, 2017, at 9:57 AM, Douglas E Engert <deengert at gmail.com> wrote: > On 1/16/2017 2:09 PM, Ron Frederick wrote: >> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462.

[[Sending again, as for some strange reason it is not accepted]] Hello OpenSSH developers, I maintain external patch for PKCS#11 smartcard support into OpenSSH[1] , many users already apply and use this patch. I wish to know if anyone is interesting in working toward merging this into mainline. I had some discussion with Damien Miller, but then he disappeared. Having standard smartcard

On 6/6/2024 8:26 AM, Dave Macias wrote: > *I wanted to see if I could make the cache file user-specific, instead of > the default location (/tmp/krb5cc-blabla).* SSH is creating a separate ticket cache file for each login session and owned by the user. This has been the preferred way to do this for decades. https://kerberos.mit.narkive.com/YJB4Hshz/krb5ccname-and-sshd Your: "Ticket

On 6/24/2017 11:35 AM, Emmanuel Deloget wrote: > Hello Douglas, > > On Fri, Jun 23, 2017 at 9:16 PM, Douglas E Engert <deengert at gmail.com <mailto:deengert at gmail.com>> wrote: > > OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing > > a shim for OpenSSL-1.1, the OpenSC code has been converted to > > the OpenSSL-1.1 API and a

Just to show what i mean when i ssh into my vms, 2 vms save the cache in /tmp and the other 2 in /home. See what happens when i run the loop below: > for i in rocky8client rocky9client rocky9server rocky8server; do /usr/bin/sshpass -p password /usr/bin/ssh -l jdoe $i "hostname; klist"; done rocky8client.domain.net Ticket cache: FILE:/tmp/krb5cc_2000_WP04h8h0sa Default

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two

Thank you both for the replies and explanation! @douglas Can i set?KRB5CCNAME somewhere so that it uses /home? Where? But even if i could set the env variable i have this odd behavior: I now have 4 vms running. 2 are rocky8 and 2 are rocky9, with same settings and versions I stated on my first post. From the 4 vms, when I ssh into them, 2 of them set a cache file in the users home and the

With openssh-snap-20040212 the configure.ac when it finds a krb5-config file, does not call the AC_DEFINE(GSSAPI) or AC_CHECK_HEADER(gssapi.h...) This means that GSSAPI and HAVE_GSSAPI_H are not defined, and thus GSSAPI is not built. If I rename the kerberos provided krb5-config file and run configure, the old method of finding the Kerberos lib and include directories is used and OpenSSH

OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing a shim for OpenSSL-1.1, the OpenSC code has been converted to the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of defines and macros was written to support older versions of OpenSSL and Libressl. https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h The nice part of this approach is

I am trying to transition several HP/UX 11i (PA/RISC) servers from ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the GSSAPI include files: -=- gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include -DSSHDIR=\"/usr/local/etc\"

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

In an environment where users use smart cards to authenticate on Windows and then use ssh to login to UNIX systems via GSSAPI, it is nigh impossible to renew/refresh the Kerberos credentials in the UNIX session. If the user fails to renew their credentials before they expire, the user is stuck and must log out and log back in to get valid tickets. Meanwhile it is entirely likely that on the

Hi, This is another attempt to get my gssapi for multi homed systems into openssh. Please find attach a small change so that gssapi authentication works on multihomed systems. Regards Markus -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.8p1-mm.diff Type: application/octet-stream Size: 3599 bytes Desc: not available Url :

Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. I've also got MIT Kerberos for Windows installed on the client, and Leash shows that my tickets ARE forwardable. Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and OpenSSH 4.0p1. I've created two AD accounts, and extracted keys mapped to "host/hostname.domainname.com at REALM.COM" and

Hello, I have a question about SSH with Kerberos password authentication . Do I receive any host ticket to my client machine when I do ssh connection with Kerberos password authenticaiton? If dont, why? If I login to remote machine through telnet with Kerberos Password authentication [through PAM-kerberos], then I can see the tickets with klist. But with the same setup for sshd, I cannot see