similar to: [PATCH] Set KRB5PRINCIPAL in user environment

Hey, On 05/01, Jakub Jelen wrote: >On 01/04/2017 10:57 AM, Johannes L?thberg wrote: >>Signed-off-by: Johannes L?thberg <johannes at kyriasis.com> >>--- >> gss-serv-krb5.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >>diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c >>index 795992d9..a12bb244 100644 >>--- a/gss-serv-krb5.c >>+++

Hey, I use gitolite for git hosting on my server, and because I want to use kerberos authentication I patched OpenSSH to put the name of the kerberos principal name or the ssh fingerprint as environment variables so my ForceCommand script can use them to actually authorize the user by the principal/fingerprint. It?s a bit annoying to keep my own patch and I thought it might be something

You really don't need openssl for that. And the fingerprints are simple. Here is a python script that do the same as ssh-keygen -fl /path/to/key : #!/usr/bin/env python3 import binascii import hashlib import sys if __name__ == "__main__": key = binascii.a2b_base64(sys.argv[1]) if sys.argv[2] == "md5": m = hashlib.new("md5")

Hello There is no reply about this demand since the firt proposition has if nobody in dev team cares about it :( Strange ... Le 14 mars 2018 20:39:53 GMT+01:00, "Johannes L?thberg" <johannes at kyriasis.com> a ?crit : >Quoting Johannes L?thberg (2017-01-06 02:34:43) >> >this change request is already tracked as a bug #2063 [1] (with the >> >related

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

On 26/03, Nico Kadel-Garcia wrote: >Yanking it out wholesale should be part of a 7.0 build, not an >incremental release. That's a major incompatibility with one heck of a >lot of existing code, much of which is on extended support. > And it?s been said multiple times in this thread that the OpenSSH version number is just a incrementing decimal number, it doesn?t have any major

% cat ext_rsa.pub| sed -r 's/.*(AAAA[^ ]+).*/\1/' | sha256sum ~/.ssh swlap1 d4bf8b06f2d9d9af7a11583a5367205ed310a84f0dee68d062e2ddca1e85c3ff - % ssh-keygen -lf ext_rsa.pub ~/.ssh swlap1 8192 SHA256:FgrfxmdjTM/j4wwRa7nVdPSUaJdqHYMJtJ6aciPl9ug swilson at swlap1 (RSA) Why do those differ and how would i generate the equivalent (mainly just curious)? I've also tried base64 and a

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

this is the proposed gssapi diff against OpenSSH-current (non-portable). note: if this goes in, the old krb5 auth (ssh.com compatible) will be removed. please comment. jakob Index: auth.h =================================================================== RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v retrieving revision 1.1.1.2 retrieving revision 1.3 diff -u -r1.1.1.2 -r1.3 --- auth.h

On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote: > Our ability to influence people who run truly obsolete software is > extremely limited. +1, mostly because those who still use something that outdated in their products are either dead, or simply don't care about their customer's security (which is typical in the embedded devices area). Just by us (or anyone else) saying

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

samba-3.0.21c, heimdal-0.7.2 The heimdal documentation[1] talks about a samba integration when both samba and heimdal are using ldap as their backends. I quote: "Now you can proceed as in See Using LDAP to store the database. Heimdal will pick up the Samba LDAP entries if they are in the same search space as the Kerberos entries." There is absolutely no further documentation. I tried

On Fri, 2018-03-16 at 19:07 +1030, David Newall wrote: > > There is no reply about this demand since the firt proposition > > has if nobody in dev team cares about it :( > > I'm curious about the first section of the diff, which exports > SSH_GSSAPI_DISPLAYNAME to PAM. Is that useful? Am I right that the > PAM > environment forms no part of the client session?

Hi, first of: my familiarity with OpenSSH/Pam code-base is very limited.. Please excuse me if some of this does not make any sense or seems stupid! I'm investigating if it is possible for a PAM module to find out which public key was accepted (when 'AuthenticationMethods publickey,keyboard-interactive' is used). From my digging in the source, it seems it is currently not. Would

Hi All. Markus has commited the long-awaited GSSAPI patch to OpenBSD's ssh. There are patches. The first [1] is a straightforward port of the OpenBSD code to Portable. The second [2] contains the parts I've stolen from Simon Wilkinson's portable GSSAPI patch in an attempt to make it build. It is incomplete and doesn't currently work. The PAM support is not there and

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1930 --- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:24 EST --- Retarget unresolved

Hello, I maintain a network of numerous Linux workstations, several Apples, and a few Windows machines. The Apples and Windows XP machines already grab shared data via Samba and the remaining data is exported to the Linux machines via NFS. I am in the process of migrating the existing authentication system from XYZ123 to Kerberos and going to place user data---with the exception of passwords

Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for

As you know, revoking RSA/DSA keys in an SSH environment requires editing all authorized_keys and authorized_keys2 files that reference those public keys. This is, well, difficult at best but certainly very obnoxious, particularly in a large environment. SSH key management is difficult. This patch simplifies key management wherever GSS-API/Kerberos is used and is general enough to be used with

I have tried to create a samba domain with a ldap backend. This is how my ldap structure looks like. # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: example dc: example # groups, example.com dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups # Domain Admins, groups, example.com dn: cn=Domain Admins,ou=groups,dc=example,dc=com