similar to: ssh certificate usage

As background, I read: http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/ http://www.ibm.com/developerworks/aix/library/au-sshsecurity/ http://bryanhinton.com/blog/openssh-security http://www.linuxhowtos.org/manpages/5/sshd_config.htm

On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark <mark.christian at intel.com> wrote: > > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: > > As a concrete example: I want Alice to be able to login as "alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as

Hello, I would like to know whether OpenSSH supports x509 certificate based authentication. It looks like OpenSSH has dependency on OpenSSL so does this mean that OpeSSH also supports x509 certificate based authentication. If it does support, can you please point me to the necessary documentation. Thanks Naitik

Hi All, I noticed that if I put: AuthorizedKeysFile .ssh/authorized_keys in my sshd_config file, pub/priv key authentication no longer worked. I am using OpenSSH_5.4p1, OpenSSL 0.9.8n 24 Mar 2010 on Archlinux. Sam ****************** Here is my WORKING config ****************** Port 22 ListenAddress 0.0.0.0 Protocol 2 PermitRootLogin no PubkeyAuthentication yes #AuthorizedKeysFile

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud

Hi All, Please pardon me if it is the wrong list to ask how-to etc. I am having an issue with the Signed SSH keys. I am being asked for the passphrase for my signed public key, even though I don't have any. I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013. 1) I have ca server with ca user keys (ca-user-key.pub) 2) I created user ssh rsa keys (user-id-org and

Wondering if it would make sense to have more granular control of trustedUserCAkeys? I have 1 key used to sign root certs, the key is shortlived, and is rotated daily. And I have a 2nd key to sign non- privileged user certs. The non-privileged certs have a longer validity period, and the signing keys are not rotated as frequently. It would be nice to ensure this second signing key's

Hi List, Happy New Years and I was hoping to get some help on an ssh issue that I am having. For some reason I am unable to scp to hosts on this network using RSA keys. Here is what I am doing/what is going on; scp the public key to remote host [amandabackup at VIRTCENT18 ~]$ scp ~/.ssh/id_rsa_amdump.pub amandabackup at lb1:~ amandabackup at lb1's password: id_rsa_amdump.pub

OpenSSH 5.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

Hey guys, I'm trying to echo my password into some commands inside of a bash script. But I think I'm going about it incorrectly. Here's the top part of my script: #!/bin/bash pub="~/.ssh/id_rsa.pub" dps_pass="my_pass" ssh="/usr/bin/ssh" scp="/usr/bin/scp" for i in 10.10.10.2{5,6} do echo "xfring key up" echo $dps_pass | $scp $PUB

On 08/03/16 02:12, Darren Tucker wrote: > On Wed, Aug 3, 2016 at 7:42 AM, rl <rainer.laatsch at t-online.de> wrote: > [...] >> /Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -p 222 -f \n >> DESTDIR/usr/local/etc/sshd_config > > It looks like you have an embedded newline in the config file name > you're passing to sshd. If that's the case I'm

hi all I have generated the key in the source server(10.78.0.107) ssh-keygen -t dsa -C "root@10.78.0.107" I have added this key to authorized_keys2 of the destination server(10.78.0.117) cat id_dsa.pub >> /root/.ssh/authorized_keys2 but when I execute rsync -avz -e ssh root@10.78.0.107:/var/mail/ /var/mail in the destination server I asck me for the password How to avoid this in

Hi, There are a few minor tweaks I would like to suggest regrading the recently added TrustedUserCAKeys section in sshd_config(5). TrustedUserCAKeys Specifies a file containing public keys of certificate authorities that are trusted sign user certificates for authentication. Keys are listed one per line, empty lines and comments starting with

hey guys, Yesterday I had no trouble loggging into this database host. But today for some reason I can't log in using my RSA key and password authentication doesn't work either. I am able to log onto the host via console. And I was able to grab the ssh config file. Here it is: [root at db1 ~]# grep -v '#' /etc/ssh/sshd_config |sed '/^\s*$/d' HostKey

Hi, I had a question and can not find out on the web where anyone might have done this. I am sftping between one AIX machine and another using automatic login. I have created the id_rsa.pub on the source server and added it to the /.ssh/authorized_keys file on the target server. The problem we are having seems to be that because the target id is a DCE(DFS) id and it's home directory is

The native authentication methods of openssh are (not counting insecure RhostsRSAAuthentication) 1) public key 2) password For users with home dirs in AFS space, method 1) does not work. Except with (non foolproof) fiddling on the access controls within the home directory. This might lead to security issues when done by inexperienced users. Without some work, only 2) remains. Being forced to send

I am trying to understand the details of the deprecation notice. Because I am getting people asking me questions. And I don't know the answer. Therefore I am pushing the boulder uphill and asking here. :-) Damien Miller wrote: > Future deprecation notice > ========================= > > It is now possible[1] to perform chosen-prefix attacks against the > SHA-1 algorithm for

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

Hi, I'm experimenting with certificates for users, giving access via the TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of one certificate per SSH key on the user's side, which prevents using the same key for hosts using different TrustedUserCAKeys. Is there a clean way around this? To make the above clearer, consider the following situation: A collection of hosts

An issue that I come across from time to time is when I try to ssh into a box with an RSA key, and it fails because the target host is old and only does sha1 signatures.? However, the reason is not reported unless I turn on debugging. For example, all I see is: % ssh foo at bar foo at bar: Permission denied (publickey,keyboard-interactive). I find this confusing, since my first inclination is