similar to: Should Subsystem work in a Match block?

https://bugzilla.mindrot.org/show_bug.cgi?id=1506 Summary: rationalize agent behavior on smartcard removal/reattachment Product: Portable OpenSSH Version: 5.1p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Smartcard AssignedTo:

On Tue 2016-03-29 18:10:00 -0400, Damien Miller wrote: > On Tue, 29 Mar 2016, IMAP List Administration wrote: >> If you haven't already, an you please add the IP address to this message, and >> any similar messages? I'm using version 6.7p1. > > I actually added that recently. It will be in openssh-7.3, due in a > couple of months. Will it be configurable? There

https://bugzilla.mindrot.org/show_bug.cgi?id=1777 Summary: KnownHostsCommand Product: Portable OpenSSH Version: 5.5p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: dkg at fifthhorseman.net A

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

hi folks: it looks like ssh-keygen -r can''t export SSHFP records for ECDSA keys: 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P '''' 0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub export_dns_rr: unsupported algorithm 0 dkg@pip:/tmp/cdtemp.oiRYAS$ the first number in my prompt is the return code of the last command; note that

https://bugzilla.mindrot.org/show_bug.cgi?id=1545 Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dkg at fifthhorseman.net --- Comment #15 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> ---

I guess I didn't want to litter the users table either - it just seems "wrong" to be actually adding things to the host when it is really so transient. It feels like it should be LDAP-ish. Just ask the server for the keys and do a one-off authentication. But I've seen even LDAP creates the user directories. I see that 2.6 kernels can have some 4B users, which should last me a

On Mon 2016-01-04 20:35:05 -0500, Bostjan Skufca wrote: > Would it make sense to refactor (if it is not done yet) openssh to use > generic API for communicating with any SSL implementation? Or is the > general stance on this subject "the new SSL implementation should provide > openssl-compatible API to be usable with openssh"? OpenSSH doesn't use any of the

On Tue 2015-05-26 14:02:07 -0400, Hubert Kario wrote: > On Tuesday 26 May 2015 13:43:13 Daniel Kahn Gillmor wrote: >> On Tue 2015-05-26 12:57:05 -0400, Hubert Kario wrote: >> > creating composites that will pass even 100000 rounds of Miller-Rabin is >> > relatively simple.... >> > (assuming the values for M-R tests are picked randomly) >> >> Can you

https://bugzilla.mindrot.org/show_bug.cgi?id=1871 Summary: ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: All Status: NEW Severity: normal

On Fri 2015-05-22 00:06:29 -0400, Darren Tucker wrote: > On Thu, May 21, 2015 at 11:26 PM, Matthew Vernon <matthew at debian.org> wrote: >> >> You will be aware of https://weakdh.org/ by now, I presume; the >> take-home seems to be that 1024-bit DH primes might well be too weak. >> I'm wondering what (if anything!) you propose to do about this issue, >>

On Fri 2015-02-06 14:30:13 -0500, Cary FitzHugh wrote: > Hence - maybe a NSS User Database extension which looks for the > public keys from a webservice (and then maybe writes them to > /tmp/<username>. No, i'm suggesting that when you want to look up the user, use NSS to find the username and map it to a numeric user ID and the other information that is typically found in

On 04 Feb (10:46:55), Daniel Kahn Gillmor wrote: > On Thu 2016-02-04 07:40:39 -0500, David Goulet wrote: > > > I would like to know if adding support for Unix socket to sshd would be a > > feature that would be consider to be added upstream? (ListenAddress). > > fwiw, i think this is a good idea, but i wouldn't implement it as an > explicit ListenAddress option:

https://bugzilla.mindrot.org/show_bug.cgi?id=1663 Summary: Allow to use agent for distribution of public keys. Product: Portable OpenSSH Version: 5.3p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

I regularly use ssh-agent with a subcommand; my X11 session is spawned through ssh-agent, and sometimes i'll run a special agent for a certain subset of commands, like this: ssh-agent bash ... and then do work within that shell. From the man page: > If a commandline is given, this is executed as a subprocess of the agent. > When the command dies, so does the agent. But

https://bugzilla.mindrot.org/show_bug.cgi?id=1984 Bug #: 1984 Summary: Add Unix Domain Socket Forwarding Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo:

https://bugzilla.mindrot.org/show_bug.cgi?id=1869 Summary: ssh-add can no longer read from FIFOs as of 5.7p1 Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh-add AssignedTo: unassigned-bugs at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=1498 Summary: OpenSC smartcard access should use raw public keys, not X.509 certificates Classification: Unclassified Product: Portable OpenSSH Version: 5.1p1 Platform: Other OS/Version: Linux Status: NEW Keywords: patch Severity: normal

https://bugzilla.mindrot.org/show_bug.cgi?id=1808 Summary: "SetupCommand" invoked before connecting Product: Portable OpenSSH Version: 5.6p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org

I see. From reading that wikipedia article, I'm wondering what gets compressed when compression is enabled in openssh. Is it the ciphertext or the cleartext? Regards, Mark On Fri, 2013-10-25 at 15:47 -0400, Daniel Kahn Gillmor wrote: > On 10/25/2013 03:23 PM, Mark E. Lee wrote: > > Thanks for the response, what kind of problematic interactions would > > occur (other than