similar to: proposed change to ssh_connect_direct()

On Sat, Jan 7, 2017 at 2:30 PM, Peter Moody <mindrot at hda3.com> wrote: > so I spent a bit of time looking at this and it seems like the only > way to go, at least if I want to keep it in ssh_connect_direct(), is > to use pthreads. further, it seems like getting that accepted is > something of a long shot: Sorry, pthreads is a non-starter. I would have thought that using

That's not a very good source, since it's only available to one person. On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote: > On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >> How can I revoke one SSH certificate without having to replace the >> root certificate and all certificates signed by it? > >

Hi, ssh clients shows "closed by UNKNOWN" message when a socket is closed by a remote side while ssh is waiting for user's password: $ ssh user at localhost user at localhost's password: Connection closed by UNKNOWN When the packet_read_seqnr() calls get_remote_ipaddr(), a connection's socket is already closed and there's not been any other call of this function yet

https://bugzilla.mindrot.org/show_bug.cgi?id=2598 Bug ID: 2598 Summary: ssh-agent very occasionally won't remove keys or certs despite now() >= lifetime Product: Portable OpenSSH Version: 6.9p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: minor Priority: P5

How can I revoke one SSH certificate without having to replace the root certificate and all certificates signed by it? Regarding the second statement, do you have sources? On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: > On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: > >> SSH certificates provide no >> way to

https://bugzilla.mindrot.org/show_bug.cgi?id=2348 Bug ID: 2348 Summary: allow ssh to connect to a unix domain socket Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

On Mon, May 15, 2017 at 11:39 AM, Peter Moody <mindrot at hda3.com> wrote: > my reading of the sshd manpage is that ssh is more permissive than it should be > > SSH_KNOWN_HOSTS FILE FORMAT : > ... > > A hostname or address may optionally be enclosed within `[' and `]' > brackets then followed by `:' and a non-standard port number. Hi Peter, I'm not

Hello, My usage of ProxyCommand just calls the nc utility with various parameters. That in turn after the initial setup just copies copies the data from the network socket to stdin/stdout. This useless coping can be avoided if ssh has an option to receive the socket from the proxy command. I suppose it can improve network error reporting as ssh would talk directly to the network socket rather

https://bugzilla.mindrot.org/show_bug.cgi?id=2550 Bug ID: 2550 Summary: ssh can't use an in-memory-only certificate Product: Portable OpenSSH Version: 7.2p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

Hi there, I'm working on a project to write a ProxyCommand that reaches out to an SSH CA to receive an SSH certificate prior to the connection. The ProxyCommand also creates a tunnel to the upstream SSH server. When using ProxyCommand alone, the issue is that the identity files are loaded as soon as SSH has fork/exec'd the process. It does not wait for a valid server negotiation. I

Hello! I'm hoping that Gmail won't HTML format this mail so that I'll get flamed :) Anyway, my question relates to ssh_config. The problem I find is that the Host pattern is only applied to the argument given on the command line, as outlined in the man page: "The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name

> > Details on these, please? Since that was kind of what I was asking for in > the OP :) netflix's bless has been around for a while. https://github.com/Netflix/bless nial sheridan gave a talk recently at LISA about cashier. https://github.com/nsheridan/cashier and finally i'm hoping to have all the necessary approvals to release ussh early next year. I wrote about ussh here

Ciao Luca, Luca Filipozzi <lfilipoz at emyr.net> writes: >> [ ... ] > Neat. I do something similar: in order to circumvent obnoxious airport / > coffee shop firewalls that block non-HTTPS traffic, I configured haproxy > to offer 'SSH over HTTPS'. haproxy terminates the HTTPS connection > (which is SNI-aware) while sshd on the target machine terminates the >

I am trying to run ssh to a server continuously and quickly. Out of about 10-12 times of good run or result, once the client gets stuck. It does not connect. This we are observing after upgrading both the server and client to OpenSSL 9.6p1. We are running this cmd on the client side: ssh -vvv -p 1022 -o UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no -o StrictHostKeyChecking=no -o

Peter and Jason, thanks for your replies on this. I was able to accomplish this with a combination of Peter's solution and setting "AuthorizedKeysFile none" as suggested in the Stack Overflow question. On Wed, Mar 6, 2019 at 2:30 PM Peter Moody <mindrot at hda3.com> wrote: > > why aren't the authorized keys/principals commands sufficient? > > $ getent group

https://bugzilla.mindrot.org/show_bug.cgi?id=2286 Bug ID: 2286 Summary: Port ignored when re-reading config after canonicalization Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh

Hi! While reading through PROTOCOL.krl I came across "5. KRL signature sections". If my understanding is correct - and that's basically what I would like to get knocked down for if appropriate ;) - this is a way for SSHDs to ensure they only accept KRLs signed by a trusted CA. However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen? The aforementioned

moronic monday (pst) question time. this may have been covered elsewhere, and emphatically shot down (and if so, I apologize), but I'm interested in using ssh-agent to decrypt data. ssh certificates are the most secure user auth token we have, and even though ssh certs aren't chainable, we routinely use them to assert identity to things other than ssh (eg. if you can present a cert

I have a text string that contains text within two brackets. e.g. "testdata[3]" "testdata[-4]", "testdata[-4g]", I wish to "extract" the string enclosed in brackets? What is a good way to do this? e.g. fun(testdata[3]) = '3' fun(testdata[-4g]) = '-4g' --------------------------------- Moody friends. Drama queens. Your life?

Hi all, Last week I noticed that the CertChecker in the Go implementation of x/crypto/ssh seems to be doing host principal validation incorrectly and filed the following bug: https://github.com/golang/go/issues/20273 By default they are looking for a principal named "host:port" inside of the certificate presented by the server, instead of just looking for the host as I believe OpenSSH