similar to: Use of ssh certificates in a multi server of different kind environment.

As background, I read: http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/ http://www.ibm.com/developerworks/aix/library/au-sshsecurity/ http://bryanhinton.com/blog/openssh-security http://www.linuxhowtos.org/manpages/5/sshd_config.htm

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

Hi All, Just reporting in on how testing has gone. After reducing obs to 32k max and banners to a max of 10000, plus some minor platform changes - root is not 0, for example, all normal tests have passed except for: multiplex - hangs at the end of this output. We had a similar issue that single reads of data were not working in dd but that does not seem to be the case in this test suite. test

Hello, SSH supports ~/.ssh/authorzied_keys for SSH keys and ~/.ssh/authorized_principals for X509 certs. I could not find an equivalent of authorzied_keys using Kerberos authentication. IMHO it should be possible using the Kerberos principal very much like the principal contained inside a X509 certificate. My main use case is assigning a specific command to a user logging in using Kerberos

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud

Hi, I'm experimenting with certificates for users, giving access via the TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of one certificate per SSH key on the user's side, which prevents using the same key for hosts using different TrustedUserCAKeys. Is there a clean way around this? To make the above clearer, consider the following situation: A collection of hosts

Hi OpenSSH developers; Thank you for your amazing work. I?m emailing to see if any knowledgeable OpenSSH developer is willing to help us review / revamp some patches we have for OpenSSH, and provide advice on some of the more advanced uses of OpenSSH. This would be a for pay contract engagement. We are trying to be super respectful of the process, and are happy to be very creative ? we are

In my puppet client I have puppet.conf defined puppet server as mypuppet server = mypuppet.example.net Not sure why the puppet client puppet-test is still sending these noises to the syslog Jun 10 13:36:23 puppet-test puppetd[10863]: [ID 702911 daemon.error] Could not find server : getaddrinfo: node name or service name not known Jun 10 13:36:23 puppet-test puppetd[10863]: [ID 702911

?I have been installed?CENTOS 5.2 on several DELL servers and have following problems (even?latest patches apply): ? 1. DELL 2650 can NOT boot under?CENTOS 5.2 PAE mode ? 2. DELL R900 can NOT boot under?CENTOS 5.2 PAE mode (inifinite boot loop) ? 3. DELL R900 with 128 GB RAM can only see 15 GB RAM under?CENTOS 5.2 Xen mode ? Anyone know why?? IS?CENTOS 5.2 certify with DELL server? ? Does?CENTOS

Hi, In case if I come up with my own implementation of the vorbis code, what is the way to certify the same ? Is there any conformance testing as in the case of MP3 ?? If so, who will be certifying the same ? Best regards, Nags.. Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the

Hi, I am trying to generate client certificates (to use in internal web/email servers) but the process is aborting. I can generate the CA OK but when I try to generate the client... openssl ca -days 365 -out certs/xxxx.crt -in csr/xxx.csr -config ../tls/openssl.cnf Using configuration from ../tls/openssl.cnf Enter pass phrase for ../CA/private/cakey.pem: wrong number of fields on line 1

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it

Hi Experts, I''m trying to generate my own certificates (all of them, including certs for CA, server and client) for puppet to use. and I''m getting "Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority" Just wondering what the problem could be? What I did is: 1. generate a self signed CA cert, and save the

Hello, Running into a problem when wanting to daemon-ize the agent. It doesnt seems to do anything: - cannot find any daemon process with (ps aux | grep puppet) - the config is not updated after editing some params on the master - /var/log/puppet stay empty... while, when logged as root, it is working without issue with $puppet agent --test. ##Conf Ubuntu 12.04 Puppet 2.7.11 ## Daemon is

Not much of a noob, but I will try. I just configured httpd and installed mod_ssl and got my certificate from GoDaddy and put them on the server with ssl.conf pointing at them. I am getting this error: SSLCertificateFile: file '/etc/pki/tls/certs/enmu.edu.crt' does not exist or is empty It's a cute error. I have checked several times for misspellings, looked at the enmu.edu.crt

On 04/28/2015 02:30 PM, John R Pierce wrote: > On 4/28/2015 9:49 AM, bobby Orellano wrote: >> nowhere does it say that centos is approved for use in DoD. it is not on >> the APL, only RedHat and SuSE > > > DoD approval requires spending lots of money jumping through arbitrary > hoops. Do you wish to pay for this? > > skimming the requirements, it also requires

Please, How to certify me that I am installing the CentOS equivalent to RHEL 3 update1 or update2? Thanks, Zamil Machado Cavalcanti Bahia - BRAZIL Linux Counter #56812 http://counter.li.org

> > Why? 7.5.1804 has been out since May of this year. You're going to > end up downloading a ton of updates the first time. > For a specialized software, we have to wait for the developers to certify each new OS. They are still recommending 7.3. One reason in particular is that 7.5 has a fix for Meltdown and Spectre, which known to reduce performance. This machine will be

Okidokey things are flying here However I am a domain admin and as such when I logon to a win 2k/xp system I should be able to access the system stuff (like changing the domain) as well as certify a new machine to the domain. With the Samba user however I log onto the machine now and no longer have my admin rights to change settings :c( (I hate this quirk of xp/2k it's almost enough reason