similar to: double length prefix in ssh-keygen certificates (values of critical options)

https://bugzilla.mindrot.org/show_bug.cgi?id=2389 Bug ID: 2389 Summary: update the PROTOCOL.certkeys spec to avoid confusion regarding encoding of critical options fields Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

Hello: I am working to implement certificate-based authentication for some internal applications. It would be very helpful to be able to pass information server-side by specifying some custom options via the Extensions of the signed certificate, allowing the authenticity of the options to be verified readily. However, I have not been able to find too much for specifying behaviors, etc.

In sshconnect.c there are two global variables for server_version_string client_version_string. These are used just in a few functions and can easily be passed as parameters. Also, there is a strange construct, where their memory is allocated to the global pointers, then copies of these pointers are assigned to the kex structure. The kex_free finally frees them via cleanup of the kex

HI! I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and description for CLI arg -O in ssh-keygen(1). It seems to me that there could be a 1:1 mapping between SSH cert extensions and authz key options by just adding prefix "permit-" to the key option. But the man pages differ regarding case of "permit-x11-forwarding" and "X11-forwarding". [1] also

Hello, This patch adds client and server support for transmitting the st_nlink field across SSH2_FXP_NAME and SSH2_FXP_ATTRS responses. Please let me know if there anything I can do to improve this patch. I am not subscribed to list so please CC me. Index: sftp-common.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-common.c,v retrieving

https://bugzilla.mindrot.org/show_bug.cgi?id=3198 Bug ID: 3198 Summary: Custom critical options are not lexically ordered Product: Portable OpenSSH Version: -current Hardware: amd64 OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: ssh-keygen Assignee:

I was recently looking at verifying the attestation data (ssh-sk-attest-v00) for a SK key, but I believe the data saved in this structure is insufficient for completing verification of the attestation. While the structure has enough information for U2F devices, FIDO2 devices sign their attestation over a richer "authData" blob [1] (concatenated with the challenge hash). The authData blob

http://bugzilla.mindrot.org/show_bug.cgi?id=1157 Summary: ssh-keygen doesn't handle DOS line breaks Product: Portable OpenSSH Version: 3.8.1p1 Platform: All URL: http://openssh.org/txt/draft-ietf-secsh-publickeyfile- 02.txt OS/Version: All Status: NEW Severity: normal

https://bugzilla.mindrot.org/show_bug.cgi?id=2474 Bug ID: 2474 Summary: Enabling ECDSA in PKCS#11 support for ssh-agent Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=1784 Summary: ssh-keygen fails when filename of key file contains multiple slashes Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo:

https://bugzilla.mindrot.org/show_bug.cgi?id=2388 Bug ID: 2388 Summary: build fixups for --without-openssl Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Build system Assignee: unassigned-bugs at

Hi list members, just tried to get some old records out of my known_hosts, which is 'HashKnownHosts yes'. Is there a way to unhash host names and/or IPs? Google tells about, how to add hosts, but not the opposite, may be I miss some thing. Is this does not work at all, is there a best practice for cleaning old hosts and keys out? Thanks, Martin! -- Martin GnuPG Key Fingerprint, KeyID

Hi, i have two machines with libvirt installed. I want to move a storage volume from the 1st machine to 2nd machine with code. I'm thinking of reading a storage volume into a byte array/stream then uploading through my own/custom handler (written in go) to the 2nd machine's custom handler which will then be writing the byte stream to libvirt storage volume. Is there a libvirt function to

Hi, Can anybody briefly explain the significance of the updated moduli file? Is this a critical update? Should all existing installations update their moduli file? Thanks in advance, -- Dan

Hi, Tavis Ormandy found some bugs in OpenSSL's ASN.1 and buffer code that can be exploited to cause a heap overflow: http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html Fortunately OpenSSH's sshd is not vulnerable - it has avoided the use of ASN.1 parsing since 2002 when Markus wrote a custom RSA verification function (openssh_RSA_verify):

Hi, OpenSSH 5.4 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a big release, with a number of major new features and many bug fixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH

https://bugzilla.mindrot.org/show_bug.cgi?id=1469 Summary: Should sshd detect and reject vulnerable SSH keys (re: Debian DSA-1571 and DSA-1576) Classification: Unclassified Product: Portable OpenSSH Version: 5.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2

Damien, your advice is appreciated. Damien Miller wrote: > On Fri, 12 Jan 2018, Michael Str?der wrote: >> I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and >> description for CLI arg -O in ssh-keygen(1). >> >> It seems to me that there could be a 1:1 mapping between SSH cert >> extensions and authz key options by just adding prefix