Displaying 20 results from an estimated 4000 matches similar to: "Automatically forwarding fresh Kerberos tickets?"
2004 Sep 13
4
Pending OpenSSH release, call for testing.
Darren,
We have systems which are multihomed for virtualisation, but run only one sshd.
You can connect to any IP-address and should be authenticated with
gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the
server has to have an entry for this in the keytab and has to select the right
key by determining the hostname from the connection IP-address. There is no other
way
2007 Sep 27
4
GSSAPI Key Exchange Patch for OpenSSH 4.7p1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm pleased to (finally) announce the availability of my GSSAPI Key
Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for
doing GSSAPI user authentication, this only allows the underlying
security mechanism to authenticate the user to the server, and
continues to use SSH host keys to authenticate the server to the
2015 Oct 08
3
[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
Thomas Calderon <calderon.thomas at gmail.com> writes:
> Hi,
>
> There is no need to add new mechanism identifiers to use specific curves.
>
> This can be done already using the CKM_ECDSA mechanism parameters (see
> CKA_ECDSA_PARAMS
> in the standard).
> Given that the underlying HW or SW tokens supports Ed25519 curves, then you
> could leverage it even with
2015 Oct 08
2
[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
On 10/8/2015 4:49 AM, Simon Josefsson wrote:
> Mathias Brossard <mathias at brossard.org> writes:
>
>> Hi,
>>
>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11
>> support of ssh-agent which will be of interest to other users.
>
> Nice! What would it take to add support for Ed25519 too? Do we need to
> allocate any new PKCS#11
2017 Jan 17
2
Question on Kerberos (GSSAPI) auth
On Jan 17, 2017, at 9:57 AM, Douglas E Engert <deengert at gmail.com> wrote:
> On 1/16/2017 2:09 PM, Ron Frederick wrote:
>> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462.
2007 Sep 25
9
OpenSSH PKCS#11merge
[[Sending again, as for some strange reason it is not accepted]]
Hello OpenSSH developers,
I maintain external patch for PKCS#11 smartcard support into
OpenSSH[1] , many users already apply and use this patch.
I wish to know if anyone is interesting in working toward merging this
into mainline.
I had some discussion with Damien Miller, but then he disappeared.
Having standard smartcard
2017 Jun 24
2
OpenSSL 1.1 support status : what next?
On 6/24/2017 11:35 AM, Emmanuel Deloget wrote:
> Hello Douglas,
>
> On Fri, Jun 23, 2017 at 9:16 PM, Douglas E Engert <deengert at gmail.com <mailto:deengert at gmail.com>> wrote:
> > OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing
> > a shim for OpenSSL-1.1, the OpenSC code has been converted to
> > the OpenSSL-1.1 API and a
2004 Jan 26
6
OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to
suggest an alternative which has advantages to all parties.
The OpenSSH sshd needs to do two things:
(1) sets a PAG in the kernel,
(2) obtains an AFS token storing it in the kernel.
It can use the Kerberos credentials either obtained via GSSAPI
delegation, PAM or other kerberos login code in the sshd.
The above two
2017 Jun 23
5
OpenSSL 1.1 support status : what next?
OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing
a shim for OpenSSL-1.1, the OpenSC code has been converted to
the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of defines and
macros was written to support older versions of OpenSSL and Libressl.
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h
The nice part of this approach is
2006 May 06
2
GSSAPI Key Exchange
Now that RFC 4462 has been published, I was wondering if there would be
any interest in looking again at integrating the key exchange portions of
my GSSAPI patch into the OpenSSH tree?
As I've mentioned before, key exchange has significant benefits for large
sites as it allows them to use Kerberos to authenticate ssh hosts, and
removes the need to maintain and distribute ssh known_hosts
2004 Feb 13
2
OpenSSH-snap-20040212 and the use of krb5-config
With openssh-snap-20040212 the configure.ac when it finds a
krb5-config file, does not call the AC_DEFINE(GSSAPI) or
AC_CHECK_HEADER(gssapi.h...) This means that GSSAPI and HAVE_GSSAPI_H
are not defined, and thus GSSAPI is not built.
If I rename the kerberos provided krb5-config file and run configure,
the old method of finding the Kerberos lib and include directories
is used and OpenSSH
2009 Nov 05
1
Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
Good Morning,
We have a network of Solaris 10 machines authenticating and doing name
lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and
self/gssapi credentials. Each machine has a machine account that is
prepared via a script with the following attributes:
userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT |
DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
2005 Feb 21
6
OpenSSH+GSSAPI & HP/UX 11i...
I am trying to transition several HP/UX 11i (PA/RISC) servers from
ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the
GSSAPI include files:
-=-
gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.
-I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE
-D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include
-DSSHDIR=\"/usr/local/etc\"
2005 May 11
6
Need help with GSSAPI authentication
Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11.
I've also got MIT Kerberos for Windows installed on the client, and Leash
shows that my tickets ARE forwardable.
Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and
OpenSSH 4.0p1.
I've created two AD accounts, and extracted keys mapped to
"host/hostname.domainname.com at REALM.COM" and
2004 Mar 04
4
SSH + Kerberos Password auth
Hello,
I have a question about SSH with Kerberos password authentication .
Do I receive any host ticket to my client machine when I do ssh connection
with Kerberos password authenticaiton? If dont, why?
If I login to remote machine through telnet with Kerberos Password
authentication [through PAM-kerberos], then I can see the tickets with
klist. But with the same setup for sshd, I cannot see
2003 May 02
6
openssh 3.6.1_p2 problem with pam (fwd)
----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> -----
Date: Fri, 2 May 2003 14:01:33 +0200
From: Andrea Barisani <lcars at infis.univ.trieste.it>
To: openssh at openssh.com
Subject: openssh 3.6.1_p2 problem with pam
Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour:
# ssh -l lcars mybox
[2 seconds delay]
lcars at mybox's
2017 Jan 16
2
Question on Kerberos (GSSAPI) auth
I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4:
Since the user authentication process by its nature authenticates
only the client,
2016 Apr 27
4
Semi-OT: very weird vi behaviour
This is weird. As in, *deeply* weird.
I ssh as root from one box to another (there are keys involved), and I go
to vi a file, such as
# line 1 #
# line 2 #
# line 3
# line 4
And what I see in vi is
# line 3
# line 4
BUT, if I scroll the cursor over each line with the arrow key... I see all
four lines. I've also looked at another file, and same thing. Just checked
it out on the server I
2005 Nov 27
3
OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Greetings,
I'm working on the infrastructure of a medium size client/server
environment using an Active Directory running on Windows Server 2003 for
central authentication of users on linux clients.
Additionally OpenAFS is running using Kerberos authentication through
Active Directory as well.
Now I want to grant users remote access to their AFS data by logging in
into a central OpenSSH
2009 Feb 04
4
5.1p1 and X11 forwarding failing
I'm really scratching my head on this one. The server
is running OpenSSH 5.1p1 on Solaris 9. The authentication
is via PAM if that matters.
# grep X11 sshd_config | sed '/^#/D'
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
#
Now I attach to my 'master' sshd and follow all children
to look for any evidence of "DISPLAY":
# truss -f -a -e -p 14923