similar to: Multiple Signatures on SSH-Hostkeys

Dear All, I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh But it seems that it can not login with the hostcertificate.: Here is debug message from the ssh client : ssh -2 -oUserKnownHostsFile=/opt/ssh/etc/known_hosts-cert \ > -oGlobalKnownHostsFile=/opt/ssh/etc/known_hosts-cert sshia3 -p 1111 -vvv debug1: checking

I'm working on a small server written in Go to add short-lived user certificates to the forwarded agents of authorized users. https://github.com/rorycl/sshagentca This seems to work quite well for accessing sshd servers with the appropriately configured "TrustedUserCAKeys" directive. I have been in a debate about how similarly adding host certificates to forwarded agents could

On 17/06/20, Damien Miller (djm at mindrot.org) wrote: > > Firstly, given a host CA signing key on the sshagentca server, would an > > appropriately constructed host certificate added to a forwarded agent > > replace the necessity for a '@cert-authority' line in a user's known_hosts > > file? > > I'm not sure I want to add yet another path (the agent)

http://bugzilla.mindrot.org/show_bug.cgi?id=1279 Summary: Address- and/or port-specific HostKeys support Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy:

My apologies if this has been covered already. My search of the archives was unfruitful. OpenSSH seems to be lacking a certain capability present in ssh.com's client; namely, the ability to store remote hostkeys on a per-port basis. I have various machines that, due to iptables port-forwarding, appear to be running copies of (open)sshd on multiple ports. "Commercial" ssh stores

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

When connecting to a host for which there's no known hostkey, check if the relevant key has been accepted for other hostnames. This is useful when connecting to a host with a dymamic IP address or multiple names. --- auth.c | 4 ++-- hostfile.c | 42 ++++++++++++++++++++++++++++-------------- hostfile.h | 8 ++++++-- sshconnect.c | 39 +++++++++++++++++++++++++++++++++------

Hello! Like many organizations, we have "disaster-recovery" location, where separate servers are running ready to take up important services should the primary location fail. Some of the services provided involve accepting files over scp (and sftp), and here is the problem... The primary and the secondary hosts use different host-keys... If the hosts were accessed as

Hi, About a year and a half ago I brought up the topic of encrypted hostkeys and posted a patch (http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2), and while the general reaction seemed receptive to the idea, a few problems were pointed out with the implementation (UI issues, ssh-keysign breakage). I've finally had some spare time in which to get back to this, and I've

https://bugzilla.mindrot.org/show_bug.cgi?id=3155 Bug ID: 3155 Summary: openssh support hostkey encrypt Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: security Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=2346 Bug ID: 2346 Summary: sshd -T doesn't write all configuration options in valid format Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

Hello, This hostkeys extension is great, reading[1]: """ OpenSSH supports a protocol extension allowing a server to inform a client of all its protocol v.2 host keys after user-authentication has completed. """ I wonder, why should user authentication be completed before this functionality is available? This means that ssh-keyscan tool (for example) cannot take

http://bugzilla.mindrot.org/show_bug.cgi?id=216 Summary: ssh-keygen vs. SSH Version 2.0.13 hostkeys Product: Portable OpenSSH Version: 3.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

Hi, I often change the machines (and thus the hostkeys) that are on a IP (a service environment with a IP assinged for the machine to test). So every time I want to connect to a new machine I have to delete the previous key from the known_hosts file. Since I got tired of running a remove script manually, I made this small patch which adds the possibility to replace the real key with the

https://bugzilla.mindrot.org/show_bug.cgi?id=2131 Bug ID: 2131 Summary: ssh: list known names (if any) for new hostkeys Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit. Really appreciate the UpdateHostkeys feature! One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys. Looks like the screen output is missing the CR's, and only LF's get presented. [root at be2 .ssh]# ssh be1 ls -l Warning: Permanently added

https://bugzilla.mindrot.org/show_bug.cgi?id=2357 Bug ID: 2357 Summary: please add "vhosting" features respectively per-LocalAdress HostKeys/etc. Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5

Hi, I am using ssh-keyscan with a list of hosts, such as: ssh-keyscan -t rsa -f hosts_for_keyscan Some of the hosts in the list have dsa, but no rsa keys. For such hosts, the command displays: no hostkey alg When this is the case for 2 hosts, this message appears twice AND SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are returned for the following hosts. Here is the part of the

Another issue for which there might be some tricks that I don't know of: I have a set of ports on my local machine forwarded (via ssh LocalForward) to machines that I can't directly reach on the localhost. However, as I connect to those machines I get HostKey warnings since it looks for the HostKey of the 'localhost' and depending on the port, it is of course different. Is there