similar to: [RFC]: OpenSSH vpn lists

Hi OpenSSH devs, I?m wondering if the following has any merit and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes

AFAIK everything you described here could be done using the AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These can emit authorized_keys options (inc. permitopen) as well as the allowed keys/principals. On Sun, 12 Nov 2023, Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could

Stephan Hendl wrote: >Darren Tucker wrote: >> The first part should be easy: use cygwin openssh client using some kind >> of passwordless authentication (eg RSA). >> >> To make it run entirely in the background, run it from cygrunsrv (part >> of Cygwin) or SRVANY (NT resource kit). Neither of these work on W95, >> only NT or W2K. > > How does the

Hi, attached is a patch by Chris Faylor <cgf at cygnus.com> relative to 2.2.0p1. Description: OpenSSH does not allow port gatewaying by default. This means that only the local host can access forwarded ports. Adding "GatewayPorts yes" to .ssh/config usually does this job. Unfortunately, OpenSSH does not recognize the same hosts.allow/ hosts.deny options as ssh.com's sshd

hi all, i've dovecot TLS working correctly w/ locally generated *RSA* CA cert, domain privkey & self-signed domain cert. to that end, my dovecot.conf includes: ssl_key_file = /var/Security/mail.testdomain.com.privkey.rsa.pem ssl_cert_file = /var/Security/mail.testdomain.com.cert.rsa.pem ssl_ca_file =

Getting this: auth-worker(5045): Error: pam(kremels,xxx.xxx.xxx.xxx: pam_authenticate() failed: authentication error (/etc/pam.d/dovecot missing?) # cat /etc/pam.d/dovcot auth required pam_unix.so nullok account required pam_unix.so (file was last updated in April of 2018) passdb { username_filter = "!*@*" driver = pam } userdb { driver = passwd } service auth {

Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key =

Do you have restarted Dovecot to reload the renewed certificate? Am 22. Juli 2018, 15:04, um 15:04, Voytek Eymont <voytek at sbt.net.au> schrieb: >I've installed LE certs on my Dovecot a while back, and, it has been >working OK since, but, today, an iPhone user said he can't get emails >as >iphone says 'cert is expired', searching around, I see some other

FYI? dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI.?As you are using version 2.2.27 you might encounter the same behaviour. If the client won't send SNI, my server randomly answers with any cert instead of?the default cert,? --Perhaps dovecot just utilises the last used cert? One speciality?of my certs is, that both share the same Common Name (CN) but differ

Hi, I'm using the Dovecot Prebuilt Binary: deb http://xi.rename-it.nl/debian/ stable-auto/dovecot-2.2 main I configured multiple SSL certificates with client TLS SNI (see http://wiki2.dovecot.org/SSL/DovecotConfiguration). Since my last update I get some warnings: doveconf: Warning: /etc/dovecot/conf.d/10-ssl.conf line 12: Global setting ssl_cert won't change the setting inside an

I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone similar issues reported, do I have my conf correct, I have; # cat dovecot.conf | grep ssl ssl = required verbose_ssl = no ssl_cert =

Aki hello, thank you. Hopefully excerpts and top posting are acceptable in the mailing list?? On that assumption: Thanks for the input. I've checked out your suggestions (details below) but unfortunately no joy. I also restored my backup 10-ssl.conf. It indeed has the "<" sign with a space before the explicit paths to the files: ? ? ssl_cert =

How do you enable hostbased authentication in OpenSSH? I have two Red Hat 7.3 machines running openssh-3.4p1, and I would like to be able to ssh from either of the machines to the other, as any user, without using passwords or per-user keys. My /etc/ssh/sshd_config contains: [...] IgnoreRhosts no HostbasedAuthentication yes [...] My /etc/ssh/ssh_config contains: [...]

Hi, Trying to SSH to a server over an OPENVPN link, and it seems to be stalling , and then closing the connection. Can I do some command line magic to stop the stall, or get a password in before it closes? vjofn% ssh -v tuc at 10.2.0.2 OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090704f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication

https://bugzilla.mindrot.org/show_bug.cgi?id=2473 Bug ID: 2473 Summary: sshd and -R port forwardings on 127.0.0.0/8 Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

Hi everyone, I have a configuration for a router that load-balances between two ISPs. What happens is that if a source-destination combination is looked up, one of the two gateways will be chosen, and further lookups will stay on that gateway until the chosen combination "stales" out. Web browsing works, ftp works, kazaa and other applications work. ssh on windows (using putty) works.

Hello Aki and all, The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles. Thank you, ssl_cert = </etc/letsencrypt/live/...../fullchain.pem ssl_key =

http://bugzilla.mindrot.org/show_bug.cgi?id=370 Summary: scp incompatibility when connecting to Commercial SSH server Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: scp AssignedTo: openssh-unix-dev

Hi there, I have a weird problem with OpenSSH 2.9.9p2 on Solaris 8. Whenever I try to use ssh, scp or sftp to connect to the Solaris box, the connection is closed by the server and the following msg logged thru syslog: "sshd[542]: fatal: buffer_get: trying to get more bytes 129 than in buffer 39" I tried from an RH 7.1 client (2.9.9p2), from a Solaris 8 client (2.9.9p2), and an OpenBSD

Hello I get the following error when using our Let's Encrypt ssl certificate for webRTC calls : [Jun 2 14:29:28] == DTLS ECDH initialized (secp256r1), faster PFS enabled [Jun 2 14:29:28] ERROR[27360][C-00000ae5]: res_rtp_asterisk.c:1441 ast_rtp_dtls_set_configuration: Specified certificate file '/etc/letsencrypt/live/ws.mydomain.tld/privkey.pem' for RTP instance