similar to: new option ssh-add -v to verify if key is loaded into the agent

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

Hi, Are there any open source tools to keep track of ssh sessions? For example, if a specific user is ssh logging to remote server and what commands or scripts are being run. Basically, i need to log all users sessions. Thanks in Advance and i look forward to hearing from you. Best Regards, Kaushal

My keys are secured with a passphrase. That's good for security, but having to type the passphrase either at every login or at every invocation of ssh(1) is annoying. I know I could invoke ssh-add(1) just before invoking ssh(1), if I keep track of whether I invoked it already, or write some hacky scripts; but the rest of OpenSSH is wonderfully usable without any hacks. Hence, this patch.

OpenSSL 1.1.0 has deprecated this function. --- configure.ac | 1 + openbsd-compat/openssl-compat.c | 2 ++ openbsd-compat/openssl-compat.h | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/configure.ac b/configure.ac index 3f7fe2cd..db2aade8 100644 --- a/configure.ac +++ b/configure.ac @@ -2710,6 +2710,7 @@ if test "x$openssl" = "xyes" ; then ])

https://bugzilla.mindrot.org/show_bug.cgi?id=1914 Summary: ssh-add: add an option to cryptographically verify if agent can access the matching private key of a given public key Product: Portable OpenSSH Version: 5.8p2 Platform: All OS/Version: Linux Status: NEW Severity: enhancement

On Tue, 2010-04-06 at 15:52 +0300, Lars Nooden wrote: > You might wish to focus on sftp instead of scp. Okay, I will have a look. I had some problems: 1) I would like to store smart card information -o PKCS11Provider=/usr/lib/opensc-pkcs11.so in /etc/ssh/ssh-config. Is it possible? 2) ssh-add -s does not seem to work. Read:

https://bugzilla.mindrot.org/show_bug.cgi?id=2635 Bug ID: 2635 Summary: Unable to use SSH Agent and user level PKCS11Provider configuration directive Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=2465 Bug ID: 2465 Summary: openssh portable does not check if arc4random_buf is declared in the system headers? Product: Portable OpenSSH Version: 7.1p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5

That's not a very good source, since it's only available to one person. On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote: > On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >> How can I revoke one SSH certificate without having to replace the >> root certificate and all certificates signed by it? > >

I am unable to get ActiveRecord session support to work under 2.x against a SQL Server database. I''m starting to wonder if anyone is running 2.x against SQL Server? Is anyone running under the following configuration: Rails 2.x SQL Server 2000 DB (using AR adapter in ODBC mode) AR store for ActionController session store. I''d like to chat with you if you are. Thanks, Wes --

Hi, Yesterday I tried to replace the system openssl in a gentoo system with libressl. With openssh an interesting issue popped up: * RAND_bytes in libressl calls arc4random * arc4random is a compat function both in openssh and libressl * arc4random from openssh uses RAND_bytes So what's happening is a recursion. arc4random wants to use RAND_bytes and RAND_bytes wants to use arc4random. The

log-user-session is shell-wrapper that can be used via ForceCommand to implement full logging of user sessions. It supports the following features: - Flexible directory structure for the shell output log files. - Support setuid-mode to write the files as another user. - Properly starts the user shell as login shell. - Optionally log only the command line of remote commands instead of the full

Dear Mailing List We are using a ControlMaster with a short ControlPersist to access the bastion host which then gives access to customer hosts. Our Information Security Manager would like to disallow the ControlMaster. His attack scenario is an admin workstation with a compromised root account. An attacker can then use the ControlMaster to trivially get shell access on the bastion host

https://bugzilla.mindrot.org/show_bug.cgi?id=2610 Bug ID: 2610 Summary: ssh should not complain about "no slots" when PKCS11Provider is specified, but no slot is found nor used Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW

[ I'm not subscribed to this list; please CC any followups to me as well ] When a user invokes "ssh-add" with no arguments, I think we should default to adding both version 1 and version 2 keys. Here's a patch against the source included with my Debian package of OpenSSH: walters at space-ghost:/usr/src/ssh/openssh-2.9p2$ diff -u ssh-add.c~ ssh-add.c --- ssh-add.c~ Thu Apr

Hi, A question regarding chroot, internal-sftp, and time zones: Is it possible to get the time stamps presented by the chrooted internal-sftp to always be aligned with the system global time zone setting? What is the reason this not done by default, that is couldn't the chrooted internal-sftp inherit the time zone information from the SSH daemon? /John -- John Olsson Ericsson AB

Hello, With current portable master source tree HAVE_CRYPT and HAVE_DES_CRYPT are not defined. It seems to me this is regression introduced with implementation of configure options --with-openssl. Impacted code is in xcrypt.c: ... # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) # include <openssl/des.h> # define crypt DES_crypt # endif ...

Hi all, I recently made a patch to openssh 4.1p1 to allow it to use the in-kernel key management provided by 2.6.12 or later Linux kernels. I've attached the patch (which is still only a proof-of-concept, for instance its very verbose right now) to this mail. Now, my question is, is this a completely insane idea and would (a later version of) the patch have a chance of making it into the

https://bugzilla.mindrot.org/show_bug.cgi?id=2221 Bug ID: 2221 Summary: Explicit identity files are being used after implicit files are attempted Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: