similar to: PATCH: Support for encrypted host keys

Hi, About a year and a half ago I brought up the topic of encrypted hostkeys and posted a patch (http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2), and while the general reaction seemed receptive to the idea, a few problems were pointed out with the implementation (UI issues, ssh-keysign breakage). I've finally had some spare time in which to get back to this, and I've

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

Hello, I need to allow for some people to execute ssh with one shared private key for remote executing command on various machines. However, it is not possible to set group permissions for private keys and it is possible to have just one private key file for one user. Please, is it possible to add patches into openssh development tree like these, so that standard behavior of ssh is not changed,

Hi, experimenting with openssh_cvs on my SCO Unix 3.2v4.2 machine, I had sshd core dumping on me. Tracking this, I found that if a host key is specified in the sshd_config that does not exist (I used "./sshd -d -d -d -f sshd_config" with the shipped sshd_config file, to work around incompatibilities with the installed sshd.com's sshd_config, and I do not have ssh2 host keys on

--- sshd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sshd.c b/sshd.c index dda8d9b77..cbdced5db 100644 --- a/sshd.c +++ b/sshd.c @@ -1533,6 +1533,8 @@ main(int ac, char **av) } else { do_log2(ll, "Unable to load host key: %s", options.host_key_files[i]); + sshkey_free(pubkey); + pubkey = NULL; sensitive_data.host_keys[i] = NULL;

Hello, Due to patent concerns, I compiled a version of openssl with the no-rsa, no-idea, no-rc5 options. I was able to then take this compile of openssl, with the standard openssh-2.1.0 rpms and run it on another machine. Most things seemed to work fine, except I was unable to ssh into the machine. After applying the following patch to the sshd code, a quick test with an ssh session worked:

Below is a patch against the current OpenBSD OpenSSH CVS to workaround a behavior I have observed when converting from SSH 1.2.27 to OpenSSH while using the same old RSA1 host key for protocol 1. In several cases I saw that old SSH sshd reported a host key size of 1024 bits when OpenSSH saw it as 1023 bits. Without the patch, when OpenSSH's ssh client connects to an old SSH sshd it warns

In the current implementation, ssh always uses the hostname supplied by the user directly for the SSHFP DNS record lookup. This causes problems when using the domain search path, e.g. I have "search example.com" in my resolv.conf and then do a "ssh host", I will connect to host.example.com, but ssh will query the DNS for an SSHFP record of "host.", not

Hello, There's a memory allocation for sensitive_data.keys in ssh.c:848 which uses size of Key instead of Key*. This is probably harmless but seems to be wrong. --- a/ssh.c +++ b/ssh.c @@ -846,7 +846,7 @@ main(int ac, char **av) options.hostbased_authentication) { sensitive_data.nkeys = 7; sensitive_data.keys = xcalloc(sensitive_data.nkeys, -

Hello, The following patch avoids a warnign message when using hostbased authentication as root and protocol v1 support has been disabled. The case for non-root users has already been addressed, but root follows a different code path. -- Iain Morgan diff --git a/ssh.c b/ssh.c index cceb36e..e32aa0a 100644 --- a/ssh.c +++ b/ssh.c @@ -1242,8 +1242,10 @@ main(int ac, char **av)

My pc runs Scientific Linux release 6.8 (Carbon), Kernel 2.6.32-642.3.1.el6.i686, all patches applied. After unpacking, running ' -/configure ' (just that, no other params), then ' make; make install DESTDIR=`pwd`/DESTDIR ' and running sshd from there: the call ' DESTDIR/.../bin/ssh host102 ' succeeds ( authentication with id_rsa ; host 102 is localhost where the new sshd

Hi all, I just want to upgrade from protocol 1.5 to 1.99 and 2.0, respectively and run into the following problems: The situation is the following: I have a client ("c") inside the firewall and two servers outside ("a" and "b"). The firewall accepts connections on two ports (22136 and 22137) and directs the connections directly to port 22 of the two servers

hello.. i am running openssh-3.7.1p2. on linux.It is working successfully..and daemon is running &client also connecting.But the problem is with the mips architecture when i connecting this server from remote syytem.?i got an error of buufer_get:trying to get more bytes 1 than buffer0.And client is not connecting from remote system.My out is as follows on my server ?in sshd main before

hello.. i am running openssh-3.7.1p2. on linux.It is working successfully.and daemon is running &client also connecting.But the problem is with the mips architecture when i connecting this server from remote syytem. i got an error of buufer_get:trying to get more bytes 1 than buffer0.And client is not connecting from remote system.My out is as follows on my server in sshd main before

I'm seeing some extremely odd behavior with solaris. I have a suspicion it's me, but here's the story and maybe someone can suggest an avenue of investigation. This seems to be happening with any release of openssh since at least 2.5.2p1. 1) Problem #1: If SSH protocol 1 is enabled then sshd segfaults right off. This turns out to be because the call to arc4random_stir is

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow.

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow.

Hello, Would it be possible to add generic engine support to OpenSSH? One use in particular would be to support TCP forwarding for secure mail server connections and similar applications. This would permit an administrator to configure in an arbitrary external engine to establish a secure RSA-based tunnel. OpenSSH would need no information built into it to accomodate any particular engine. One

this patch adds a LogFile option to sshd_config. it just logs messages directly to a file instead of stderr or syslog. the largest change is an additional argument to log_init() in log.c for the log file name (and then changes to the rest of the tools to add a NULL arg). galt -------------- next part -------------- diff -urN openssh-3.5p1-orig/log.c openssh-3.5p1/log.c ---

https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Bug #: 1974 Summary: Support for encrypted host keys Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: