similar to: Setting up Samba4 - lots of implementation questions esp re. PKI and SSO

Alon, I should have provided more background. You are assuming that I could perform the PKINIT prior to connecting to the SSH server. In this case (and others) there is an interest in not exposing the kerberos servers to the world and thus someone connecting remotely would not be able to obtain a TGT or do a PKINIT. The goal would be for SSH to handle all the auth and only after connecting to

Alon, On 12/18/2018 06:52 PM, Alon Bar-Lev wrote: > OK... So you have an issue... > > First, you need to delegate your smartcard to remote machine, probably > using unix socket redirection managed by openssh. This can be done in > many levels... > 1. Delegate USB device, this will enable only exclusive usage of the > smartcard by remote machine. > 2. Delegate PC/SC, this

I know OpenSSH currently supports PKCS11 devices (such as smartcards) for publickey authentication, but I would love to see PKCS11 extended further. It is currently possible to perform PKCS11 certificate authentication, via pam_krb5.so (on Linux at least and likely something similar on other *NIX) which allows smartcard auth to a Kerberos (including AD) server, where a TGT can also be granted.

Hello everybody, I'll try to find out some info about Samba and a way to put x509 authenticate method but i don't find anything clear about it. I found in the how-to v3 some stuff about authenticate PAM module to use with samba but I don't know if I look in the right direction. I have a samba server running for a lots of time based on smbpass DB. We plan to use our PKI certs to

[[Sending again, as for some strange reason it is not accepted]] Hello OpenSSH developers, I maintain external patch for PKCS#11 smartcard support into OpenSSH[1] , many users already apply and use this patch. I wish to know if anyone is interesting in working toward merging this into mainline. I had some discussion with Damien Miller, but then he disappeared. Having standard smartcard

Hi Andrew, I'm very interested in using Windows Hello for Business in small business environments, with Samba as the AD DC. I'm sorry that I don't have great news. The schema upgrade is the easy > part - we could do that by obtaining new schema from Microsoft: > > https://www.microsoft.com/en-nz/download/confirmation.aspx?id=23782 > (and yes, the licence terms are

> > Is this all that would be required to enable a deployment based upon a > > traditional PKI? > > > If you are using windows yes, if not then you would need to find a way > to replace the EDRS (there is a good doc about it here > > https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning > ) >

https://bugzilla.mindrot.org/show_bug.cgi?id=1908 Markus Friedl <markus at openbsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |markus at openbsd.org Attachment #2054|0 |1 is obsolete|

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet

I?ve got a couple of issues with a new mail server set up? I?m getting the following error: warning: cannot get RSA certificate from file /etc/pki/dovecot/certs/<mycert>.pem: disabling TLS support The problem is that <mycert>.pem isn?t an RSA ticket, but a X509 certificate. The RSA ticket is in /etc/pki/dovecot/private directory. I checked both files and they are good certificates.

On Mon, 2018-03-19 at 11:55 +1300, Garming Sam via samba wrote: > Hi, > > Maybe this page might be helpful. I don't know how up to date it is, but > the expectation seems to be that it should be able to work with > alternative forms of authentication (with Kerberos PKINIT). > > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Yeah, I think something that

Hello everybody, I'll try to find out some info about Samba and a way to put x509 authenticate method but i don't find anything clear about it. I found in the how-to v3 some stuff about authenticate PAM module to use with samba but I don't know if I look in the right direction. I have a samba server running for a lots of time based on smbpass DB. We plan to use our PKI certs to

Hi Everyone, I'd like to ask a question about libvirt xml config. I am using kvm with tls certification. For some reason I need to specify a unique certificate file for every instance, so my kvm command would be like: /usr/libexec/qemu-kvm -spice port=5900,tls-port=5901,addr=0.0.0.0,disable-ticketing,x509-dir=/openstack/etc/pki/libvirt-spice the argument

Hello, The version 0.11 of "PKCS#11 support in OpenSSH" is published. Changes: 1. Updated against OpenSSH 4.3p2. 2. Modified against Roumen Petrov's X.509 patch (version 5.4), so self-signed certificates are treated by the X.509 patch now. 3. Added --pkcs11-x509-force-ssh if X.509 patch applied, until some issues with the X.509 patch are resolved. 4. Fixed issues with gcc-2. You

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

Hi, I'm trying to install an AD with PKI auth.I'm so referring to : https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login I have my forest working , users .etc. I'm now trying to generate the root CA. Using the template in the wiki , When I try to openssl req -new req -new -x509 -days 3650 -sha256 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config

Hello, this is a little bit off-topic (even if it have to work on CentOS ;-) I'm looking for a tool to manage a small Public Key Infrastructure, with creation/revocation of certificates X.509, export in PKCS#12 format and have the ability to handle CSR (Certificate Signing Request). I've wrote my own script to perform it (openssl command line based): it's a good way to

Hello OpenSSH developers, A week ago I've posted a patch that enables openssh to work with PKCS#11 tokens. I didn't receive any comments regarding the patch or reply to my questions. In current software world, providing a security product that does not support standard interface for external cryptographic hardware makes the product obsolete. Please comment my patch, so I can know

Hi Joining a lubuntu 11.10 client to the domain I get this: net ads join -UAdministrator Enter Administrator's password: Using short domain name -- POLOP Joined 'LUBUNTU7' to realm 'hh3.site' No DNS domain configured for lubuntu7. Unable to perform DNS Update. DNS update failed! during the join this all seems OK: Kerberos: Looking for PKINIT pa-data --

ssh-keygen already supports importing and exporting ssh keys using various formats. The "-m PEM" which should have been the easiest to be used with various of external application expects PKCS#1 encoded key, while many applications use SubjectPublicKeyInfo encoded key. This change adds SubjectPublicKeyInfo support, to ease integration with applications. Examples: ## convert