similar to: SSH cert extensions and authz key options

Damien, your advice is appreciated. Damien Miller wrote: > On Fri, 12 Jan 2018, Michael Str?der wrote: >> I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and >> description for CLI arg -O in ssh-keygen(1). >> >> It seems to me that there could be a 1:1 mapping between SSH cert >> extensions and authz key options by just adding prefix

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

Hello, In testing security key support in OpenSSH 8.2, I had some trouble making the ?no-touch-required? option in the authorized_keys file work in conjunction with OpenSSH certificates. I think I?ve figured it out, but I think there may be a bug in ssh-keygen related to this. To make ?no-touch-required? work with certificates, I actually had to do three things: Generate the security key with

On 30/01/2020 15:02, Christian, Mark wrote: > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: >> As a concrete example: I want Alice to be able to login as "alice" >> and >> "www" to machines in group "webserver" (only). Also, I want Bob to >> be >> able to login as "bob" and "www" to machines in group

Hi there! What am I doing wrong? I created a ssh-certificate id_user_rsa-cert.pub with this dump: id_user_rsa-cert.pub: root at host # ssh-keygen -Lf id_user_rsa-cert.pub ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate ??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk ??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs ??????? Key ID:

Hello: I am working to implement certificate-based authentication for some internal applications. It would be very helpful to be able to pass information server-side by specifying some custom options via the Extensions of the signed certificate, allowing the authenticity of the options to be verified readily. However, I have not been able to find too much for specifying behaviors, etc.

I am trying to find out how I can use the new self-signed certificates So what I read in the man pages, it should be something like: client: 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate Server(s): 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or location you like 3) edit

Hello, I would like to know whether OpenSSH supports x509 certificate based authentication. It looks like OpenSSH has dependency on OpenSSL so does this mean that OpeSSH also supports x509 certificate based authentication. If it does support, can you please point me to the necessary documentation. Thanks Naitik

I've downloaded the latest DB2 client, and its ODBC registration program complains that this is missing. No threads or references here. There didn't appear to be a download for it at M$. A search yielded lots o sites that offered it. Any recommendations? thanks

Hi Daminan! Hmmm... thought about a little... when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug is compiled in. ssh-keygen --help gives me ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... so... option -z is not the serial of the certificate, it is the version-number of the KRL-File... My openssh-Verision from Debian is

Hello. I am trying to play through the following test scenario about certificate revocation on Ubuntu 18.04, which has OpenSSH of this version: OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n? 7 Dec 2017 1. A CA key is created ssh-keygen -t ed25519 -f ca 2. The CA public key is added to ~/.ssh/authorized_keys on some server: cert-authority ssh-ed25519 AAAA...e ca at yoga 3. A user key is created on a

Hello, I must relogin on the same machine in my shell with ssh and without password. For this I tried the procedure ssh-keygen -t dsa and ssh-keygen -t rsa. I copied the entries in /.ssh/id_dsa.pub and /.ssh/id_rsa.pub in /.ssh/authorized_keys When I open a shell I type exec ssh-agent $SHELL and then ssh-add and give my passphrases. When I now type ssh machinename my PC wants my password. I

Hi, We will probably do an openssh-5.5p1 release soon, mainly for the sshd_config:AuthorizedKeysFile bug, but containing a few other small patches too. If you have any portability fixes that need to go in then

Hi, Quick question...I read in the docs that: "Master user is still subject to ACLs just like any other user, which means that by default the master user has no access to any mailboxes of the user." ... and that the standard workaround is to return master_user=%u from the userdb. But why is the master_user authn-id used in the ACLs and not the authz-id (requested-login-user) ?

I use: ssh-keygen -t rsa to generate a key file (id_rsa.pub) which I copy into authorized_keys2 on other machines in order to permit ssh to these machines without being asked for a password. The thing is that I have dual boot on this machine: one for fedora and one for ubuntu. The two key files which were generated on these machine are different. Is there a way so that I will have the same key

I've recently upgraded some of my machines from an ssh1 environment to an openssh one, and consequently, I'm now using the ssh2 protocol. I can't seem to get it to allow remote logins without prompting for a passphrase or password. Is this possible? I've created id_dsa and id_rsa files etc., using ssh-keygen and have copied the public information to the remote authorized_keys

Hallo, I wanted to avoid typing-in my password every occasion I remotely logged-on to a server. I created my SSH keys and copied the public part to the server and renamed it authorized_keys. My command line is: ssh root at xxxxxx.com -p 1234 The output shows the logging-on routine wants 3 types of authentication. Surely one successful authentication is sufficient ? OpenSSH_4.3p2, OpenSSL

hi all I have generated the key in the source server(10.78.0.107) ssh-keygen -t dsa -C "root@10.78.0.107" I have added this key to authorized_keys2 of the destination server(10.78.0.117) cat id_dsa.pub >> /root/.ssh/authorized_keys2 but when I execute rsync -avz -e ssh root@10.78.0.107:/var/mail/ /var/mail in the destination server I asck me for the password How to avoid this in

Hi, I am trying to mirror a server every night using rsync. I have to backup multiple directories and multiple individual files. I also want to use ssh as transport. The problem is that I cannot get ssh to work without asking password for each step. I tried the public key thing but it doesnt work. Can some one give instructions for a layman like me. Also I want to know how to pass argument to

Hi, OpenSSH 5.6 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a moderately large release, with a number of new features and bug fixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH