similar to: [RFC 0/2] add engine based keys

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

Engine keys are keys whose file format is understood by a specific engine rather than by openssl itself. Since these keys are file based, the pkcs11 interface isn't appropriate for them because they don't actually represent tokens. The current most useful engine for openssh keys are the TPM engines, which allow all private keys to be stored in a form only the TPM hardware can decode,

Hello, With the introduction of SSH_ASKPASS_REQUIRE in version 8.4, I've set up a script for SSH_ASKPASS to query my local passwordstore (https://www.passwordstore.org/) vault to retrieve the password for a given key. This works for ssh-add as well as ssh (configured with AddKeysToAgent set to 'yes'). My workflow effectively transforms into entering the password for the GPG key used

Hi, I have not found any way to use a Certificate with ssh-agent when my Key is stored on a pkcs11 device. I can add my key with ssh-add -s /usr/local/lib/opensc-pkcs11.so but ssh-add -s /usr/local/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub does not add the certificate to my agent. As far as I undestand, in ssh-add.c line 580 if (pkcs11provider != NULL) { if (update_card(agent_fd,

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

Add support to load additional certificates for already loaded private keys. Useful if the private key is on a PKCS#11 hardware token. The private keys inside ssh-agent are now using a refcount to share the private parts between "Identities". The reason for this change was that the PKCS#11 code might have redirected ("wrap") the RSA functions to a hardware token. We don't

OpenSSL 1.1.0 has deprecated this function. --- configure.ac | 1 + openbsd-compat/openssl-compat.c | 2 ++ openbsd-compat/openssl-compat.h | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/configure.ac b/configure.ac index 3f7fe2cd..db2aade8 100644 --- a/configure.ac +++ b/configure.ac @@ -2710,6 +2710,7 @@ if test "x$openssl" = "xyes" ; then ])

On 2018-04-07 11:24, Bernard Spil wrote: > On 2018-04-07 9:04, Joel Sing wrote: >> On Friday 06 April 2018 21:31:01 Bernard Spil wrote: >>> Hi, >>> >>> When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA >>> and >>> ECDSA private keys. >>> >>> Error loading key "./id_rsa": invalid format

I'm not on the mailing list, so I'd appreciate it if you could cc: me, though I will keep an eye on the archives. I am running openssh 2.2.0p1 on Debian GNU/Linux. I was pleased to see that 2.2.0p1 had support for DSA keys in the agent, and I have successfully used the v2 protocol to another openssh server with the agent providing authentication. I am also able to successfully connect

On 8 June 2018 at 11:21, PGNet Dev <pgnet.dev at gmail.com> wrote: > fyi > > add'l -- and looks unrelated -- issue > /usr/include/pthread.h:251:12: note: previous declaration of ?pthread_join? was here > extern int pthread_join (pthread_t __th, void **__thread_return); What included pthread.h? That's explicitly not supported by sshd: $ grep THREAD

I don't remember what we did to fix this last time, and I've had to rebuild my system completely from scratch over the past few days, so dont' have past patches to work from ... new-relay:/usr/slocal/src/openssh-1.2pre15> make gcc -g -O2 -Wall -I/usr/slocal/include -DETCDIR=\"/usr/local/etc/ssh\" -DSSH_PROGRAM=\"/usr/slocal/bin/ssh\" -DHAVE_CONFIG_H -c

Hi, I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with FIPS 140-2 OpenSSL. These are based on previously reported patches by Steve Marquess <marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>, for ver. OpenSSH 3.8. Note that these patches are NOT OFFICIAL, and MAY be used freely by anyone. Issues [partially] handled: SSL FIPS Self test. RC4,

The idea behind this change is to add support for different "ssh-agents" being able to run at the same time. It does not change the current behaviour of the ssh-agent (which will set SSH_AUTH_SOCK just for itself). Neither does it change the behaviour of SSH_AGENT_PID (which still supports only one pid). The new implementation will go through the list of sockets (which are separated by a

In sshconnect.c there are two global variables for server_version_string client_version_string. These are used just in a few functions and can easily be passed as parameters. Also, there is a strange construct, where their memory is allocated to the global pointers, then copies of these pointers are assigned to the kex structure. The kex_free finally frees them via cleanup of the kex

Hi all, attached is a patch that enables using hardware crypto accelerators available through OpenSSL library for SSH operations. Especially in ssh/sshd it can bring a significant speed improvement. OTOH if no crypto engine is available, nothing bad happens and default software crypto routines are used. This patch is used in SUSE Linux OpenSSH package and proved to work (at least it didn't

I have just tarred up a snapshot and uploaded it to: http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz The snapshot incorporates the last month's fixes and enhancements from the openssh-unix-dev mailing list and from the OpenBSD developers. In particular: - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop with ssh.com's ssh-agent. (Markus Friedl)

I've just compiled and installed openssh-2.9.9p2 (compiled against openssl-0.9.6b using gcc-3.0.0) on a Slackware 7-based Linux machine (kernel 2.4.6ac2). The previously installed version was 2.9p2, compiled against openssl-0.9.6a, also with gcc-3.0.0, but with a different build of gcc-3.0.0. Everything seems to work fine except for one problem: passphrase matching for ssh2 keys

We are attempting to use openssh sftp to connect to a server that is running some version of the Axway SFTP server. After a publickey auth completes, the server resends publickey as a valid auth. This results in a loop as openssh sftp resubmits the publickey information. This seems similar to a discussion in 2014 that terminated with the thought that it might be nice if the client tracked

Attached is a patch to allow a user to turn on TCP keepalives for port forwarded connections. It's mainly useful when the connections to the ssh listener are coming from many different boxes, some of which crash, leaving the service on the other side of the port forwarder waiting on connections indefinitely. It creates a new option named "KeepAliveForward" to control this behavior.

https://bugzilla.mindrot.org/show_bug.cgi?id=3597 Bug ID: 3597 Summary: Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled? Product: Portable OpenSSH Version: -current Hardware: Other