Displaying 20 results from an estimated 2000 matches similar to: "OpenSSH Certificate Extensions"
2019 May 21
2
OpenSSH Certificate Extensions
Any caveats with using AuthorizedKeysCommand in this case?
From: Damien Miller<mailto:djm at mindrot.org>
Sent: Monday, May 20, 2019 6:37 PM
To: Nickolas Klue<mailto:nickolas.klue at thoughtspot.com>
Cc: openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org>
Subject: Re: OpenSSH Certificate Extensions
On Mon, 20 May 2019, Nickolas Klue wrote:
> Hello:
>
2024 Feb 08
2
Authentication using federated identity
I know that there are some methods to use federated identities (e.g.
OAuth2) with SSH authentication but, from what I've seen, they largely
seem clunky and require users to interact with web browsers to get one
time tokens. Which is sort of acceptable for occasional logins but
doesn't work with automated/scripted actions.
I'm just wondering if anyone has done any work on this or
2023 Oct 23
2
Question about silos and Authentication policies
Hi Stefan,
We had a long weekend in New Zealand, I'm catching up now to your emails.
Some of the slight differences between Windows tools I've already picked
up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm
always open to learning what things are missing or different etc.
On 23/10/23 02:58, Stefan Kania via samba wrote:
> Talking to myself again ;-)
>
>
2023 Oct 23
2
Question about silos and Authentication policies
Thanks Rob for chiming in.
Stefan,
I do want to be very clear, one of the big challanges that we as
developers face building these kind of tools is that we don't run AD
domains day-to-day. So we really value good feedback on the
ergonomics.
If you can test with our work in progress, we are keen to adapt the
tooling where possible to be more in line with what is 'naturally
expected, so
2023 Oct 22
1
Question about silos and Authentication policies
Talking to myself again ;-)
Samba-tool is working a little bit different then the silo/policy
management on a Windows-DC.
On a Windows-DC after assigning the user and host to the silo you have
to assign the silo to the user and the host. When assigning the user and
host to the silo with samba-tool, the assignment to the user and the
host will be done at the same time. So now my policy looks
2023 Oct 30
2
Question about silos and Authentication policies
I was playing around again with Windows and when you add members to
silos, or remove them, it should not set/unset assigned silo on the user.
So I've got a new pull request in Draft state still where I remove that
functionality, as well as add some new commands to samba-tool user command.
It turned out to be easier to add sub commands to user, as edit user
wasn't quite what I thought
2015 Apr 23
3
double length prefix in ssh-keygen certificates (values of critical options)
Hi,
I have a question regarding the binary format of the certificates generated
with ssh-keygen, in particular when the critical options of source-address
or force-command are present and the correspondence to the certificate
format specifications such as
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
.
It appears that the string values of the source-address
2012 May 09
2
AD and SAMBA
Hello all,
I am trying to understand how SAMBA finds nearest Domain Controller when
configured to use Active Directory for AuthN.
There are some great articles and wikis about how to configure SAMBA
against AD, but couldn't find much on what I was looking for.
For example
1. Does Samba have built in dc locator functionality like windows
clients ?
2. What is the default authN it uses, NTLM
2020 Jan 30
3
SSH certificates - restricting to host groups
On 30/01/2020 12:53, Michael Str?der wrote:
> On 1/30/20 1:27 PM, Brian Candler wrote:
>> I am trying to work out the best way to issue SSH certificates in such
>> way that they only allow access to specific usernames*and* only to
>> specific groups of host.
> I also thought about this for a while. The only idea I came up with is
> to have separate CAs used as trust
2012 May 15
1
would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
I'd like to:
1) use samba3 as a PDC, and
2) not use LDAP as the account backend database, and
3) specify samba to use but use "encrypt passwords = true", and
4) use an ldap server as the authentication source for samba.
Is that possible?
I'd assumed it would be given that samba is pam-aware, and I can tell pam to use ldap for authN.
However, the man page for smb.conf seems to
2020 Jan 30
3
SSH certificates - restricting to host groups
On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark
<mark.christian at intel.com> wrote:
>
> On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote:
> > As a concrete example: I want Alice to be able to login as "alice"
> > and
> > "www" to machines in group "webserver" (only). Also, I want Bob to
> > be
> > able to login as
2023 May 22
6
[Bug 3574] New: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set
https://bugzilla.mindrot.org/show_bug.cgi?id=3574
Bug ID: 3574
Summary: ssh ignores AuthorizedPrincipalsCommand if
AuthorizedKeysCommand is also set
Product: Portable OpenSSH
Version: 9.3p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component:
2023 Feb 23
1
Redundant Database, Pgsql ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, 2023-02-22 at 11:08 +0000, Marc wrote:
> I don't even get what the advatages are of doing this with sql. If you
> use local replicated ldap and use local credential caching then your
> master ldap can go down without issues, even the local caching handle
> some local slapd issues.
Going to have to +1 this. LDAP also does
2006 Aug 24
9
[slightly offtopic] A small, fast Apache2.2 (if there is such a thing)
Hi.
I''m using Apache2.2 built from source + mod-proxy + ssl + svn.
Everything works fine but I''m sure you I could disable a ton of
modules during the build process and in httpd.conf to speed things up
and run a tighter memory footprint.
Has anyone bothered building Apache2.2 from source disabling all the
unneeded modules.
I am planning on going through the Apache docs but I
2020 Sep 28
1
custom userdb server, Exim, and proxying
Hi all,
We have Exim using Dovecot for authentication. Dovecot, in turn, consults a custom internal server that answers Dovecot?s userdb queries.
When IMAP connections arrive, for some users we want to forward those connections--without authentication--to an external IMAP server. For these users, we return ?proxy_maybe? and ?nopassword? in the authn response from our userdb server. This tells
2015 Apr 24
1
[Bug 2389] New: update the PROTOCOL.certkeys spec to avoid confusion regarding encoding of critical options fields
https://bugzilla.mindrot.org/show_bug.cgi?id=2389
Bug ID: 2389
Summary: update the PROTOCOL.certkeys spec to avoid confusion
regarding encoding of critical options fields
Product: Portable OpenSSH
Version: 6.8p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
2023 Jul 31
5
Call for testing: OpenSSH 9.4
Hi,
OpenSSH 9.4 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2006 Aug 29
28
Stability of Rails
I''ve seen a lot of issue regarding the stability of Rails apps. I''m
charged with investigation of Rails for my company and I''ve looked at
numerous fourms, groups, etc. (Textdrive, here, etc.) and it *seems*
like there is a stability problem with Rails (ie: crashes, etc.) Is
this as common as it looks, or is this tied to things like Lighttpd (web
server) or Typo
2017 Dec 24
2
OpenSSH key signing service?
Besides ssh.com?s PrivX product, has anyone created a web service that can be used to issue temporary certkeys to authenticated users?
Any pointers appreciated!
jd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
URL:
2015 Nov 01
2
[Bug 2487] New: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs
https://bugzilla.mindrot.org/show_bug.cgi?id=2487
Bug ID: 2487
Summary: AuthorizedPrincipalsCommand should probably document
whether it only applies to TrustedUserCAKeys CAs
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement