similar to: OpenSSH Certificate Extensions

Any caveats with using AuthorizedKeysCommand in this case? From: Damien Miller<mailto:djm at mindrot.org> Sent: Monday, May 20, 2019 6:37 PM To: Nickolas Klue<mailto:nickolas.klue at thoughtspot.com> Cc: openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org> Subject: Re: OpenSSH Certificate Extensions On Mon, 20 May 2019, Nickolas Klue wrote: > Hello: >

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

Hi, I have a question regarding the binary format of the certificates generated with ssh-keygen, in particular when the critical options of source-address or force-command are present and the correspondence to the certificate format specifications such as http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD . It appears that the string values of the source-address

On 30/01/2020 12:53, Michael Str?der wrote: > On 1/30/20 1:27 PM, Brian Candler wrote: >> I am trying to work out the best way to issue SSH certificates in such >> way that they only allow access to specific usernames*and* only to >> specific groups of host. > I also thought about this for a while. The only idea I came up with is > to have separate CAs used as trust

On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark <mark.christian at intel.com> wrote: > > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: > > As a concrete example: I want Alice to be able to login as "alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as

https://bugzilla.mindrot.org/show_bug.cgi?id=3574 Bug ID: 3574 Summary: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set Product: Portable OpenSSH Version: 9.3p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component:

Hi, OpenSSH 9.4 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

https://bugzilla.mindrot.org/show_bug.cgi?id=2389 Bug ID: 2389 Summary: update the PROTOCOL.certkeys spec to avoid confusion regarding encoding of critical options fields Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement

Besides ssh.com?s PrivX product, has anyone created a web service that can be used to issue temporary certkeys to authenticated users? Any pointers appreciated! jd -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2393 bytes Desc: not available URL:

https://bugzilla.mindrot.org/show_bug.cgi?id=2487 Bug ID: 2487 Summary: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement

On Wed, May 17, 2017 at 2:46 AM, Damien Miller <djm at mindrot.org> wrote: > On Mon, 15 May 2017, Adam Eijdenberg wrote: >> https://github.com/golang/go/issues/20273 >> >> By default they are looking for a principal named "host:port" inside >> of the certificate presented by the server, instead of just looking >> for the host as I believe OpenSSH

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

Hi, I''ve just installed 0.22.2 and believe I''ve discovered a bug (or oversight). I have an exec like this: exec { "change-to-local-mirror": command => "sed -i ''s#\(KERNEL_REPO.*=\).*#\1 $mirror#'' ${rulefile}", path => "/usr/bin:/usr/sbin:/bin",

version 2: - Turn the "unrecognised disk label" error into errno == EINVAL - Fix virt-alignment-scan - Rework the fix for virt-v2v bug 1232192 (see description of patch 3/3)

On 18/09/18, Tim Jones (b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch) wrote: ... > So issue your users with Yubikeys. You can enforce the Yubikey so it > requires the user to enter a PIN *and* touch the Yubikey. This means > there's an incredibly high degree of confidence that it was the user > who performed the actiion (i.e. two-factor authentication of physical >

I updated my kernel from 0.0.3d to 0.0.3e using the "d-e" patch in the 0.0.3e tarball. When I try to boot the new kernel on a machine with an ext3 root filesystem I am getting the message: JFS: Unrecognised features on journal Does this sound feasible or even somewhat expected? Is there any interest in me doing some debugging of this? Is there any way to deal with this without

> <!-- Admin logs in with the username given below --> > <admin-user>admin</admin-user> > <admin-password>hackme</admin-password> > </authentication> Doh, I forgot to update my config file when I updated from buggy debian packages to CVS compiled source. >Nope. This is one of them vertual things. I know you can do

Hello, Is it possible to execute Objective-C code using LLVM JIT? The original point for my research is this topic on StackOverflow: All selectors unrecognised when invoking Objective-C methods using the LLVM ExecutionEngine http://stackoverflow.com/questions/10375324/all-selectors-unrecognised-when-invoking-objective-c-methods-using-the-llvm-exec

unfortunately, we keep getting this warns into the system log by puppet masters: " [...] Unrecognised escape sequence ''\<CHAR>'' in file <PATH> [...] " but then everything works fine; also, without using escapes, catalogs dont work on agents. What can we do to avoid these kind of errors in master syslogs? Please ,let us know ASAP and tell us if this

Hello, how can I dynamically allow or disallow users with OpenSSH? I have some nodes that users can submit jobs to, and can optionally be handed a session to the requested node. But I want to prevent them from SSH-ing in to nodes unless they have a job running on that node. My idea was to implement libssh's callback abilities and have a script that checks the username against jobs running on