Displaying 20 results from an estimated 1000 matches similar to: "Multiple Signatures on SSH-Hostkeys"
2010 May 26
2
hostbase authentication of hostcertificate
Dear All,
I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh
But it seems that it can not login with the hostcertificate.:
Here is debug message from the ssh client :
ssh -2 -oUserKnownHostsFile=/opt/ssh/etc/known_hosts-cert \
> -oGlobalKnownHostsFile=/opt/ssh/etc/known_hosts-cert sshia3 -p 1111 -vvv
debug1: checking
2020 Jun 16
2
client host certificates and receiving host configuration
I'm working on a small server written in Go to add short-lived user
certificates to the forwarded agents of authorized users.
https://github.com/rorycl/sshagentca
This seems to work quite well for accessing sshd servers with the
appropriately configured "TrustedUserCAKeys" directive.
I have been in a debate about how similarly adding host certificates to
forwarded agents could
2020 Jun 17
3
client host certificates and receiving host configuration
On 17/06/20, Damien Miller (djm at mindrot.org) wrote:
> > Firstly, given a host CA signing key on the sshagentca server, would an
> > appropriately constructed host certificate added to a forwarded agent
> > replace the necessity for a '@cert-authority' line in a user's known_hosts
> > file?
>
> I'm not sure I want to add yet another path (the agent)
2007 Jan 30
3
[Bug 1279] Address- and/or port-specific HostKeys support
http://bugzilla.mindrot.org/show_bug.cgi?id=1279
Summary: Address- and/or port-specific HostKeys support
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy:
2002 Jun 05
1
Per-port hostkeys
My apologies if this has been covered already. My search of the archives
was unfruitful.
OpenSSH seems to be lacking a certain capability present in ssh.com's
client; namely, the ability to store remote hostkeys on a per-port basis.
I have various machines that, due to iptables port-forwarding, appear to
be running copies of (open)sshd on multiple ports. "Commercial" ssh
stores
2002 Jan 31
7
x509 for hostkeys.
This (very quick) patch allows you to connect with the commercial
ssh.com windows client and use x509 certs for hostkeys. You have
to import your CA cert (ca.crt) in the windows client and certify
your hostkey:
$ cat << 'EOF' > x509v3.cnf
CERTPATHLEN = 1
CERTUSAGE = digitalSignature,keyCertSign
CERTIP = 0.0.0.0
[x509v3_CA]
2012 Dec 27
3
[PATCH] hostfile: list known names (if any) for new hostkeys
When connecting to a host for which there's no known hostkey, check if the
relevant key has been accepted for other hostnames. This is useful when
connecting to a host with a dymamic IP address or multiple names.
---
auth.c | 4 ++--
hostfile.c | 42 ++++++++++++++++++++++++++++--------------
hostfile.h | 8 ++++++--
sshconnect.c | 39 +++++++++++++++++++++++++++++++++------
2011 Sep 20
5
Different HostKeys for different hostnames or IPs in the same sshd?..
Hello!
Like many organizations, we have "disaster-recovery" location, where separate
servers are running ready to take up important services should the primary
location fail.
Some of the services provided involve accepting files over scp (and sftp), and
here is the problem... The primary and the secondary hosts use different
host-keys... If the hosts were accessed as
2013 Jun 25
1
RFC: encrypted hostkeys patch
Hi,
About a year and a half ago I brought up the topic of encrypted hostkeys
and posted a patch
(http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2), and while the
general reaction seemed receptive to the idea, a few problems were pointed
out with the implementation (UI issues, ssh-keysign breakage).
I've finally had some spare time in which to get back to this, and I've
2020 Apr 26
5
[Bug 3155] New: openssh support hostkey encrypt
https://bugzilla.mindrot.org/show_bug.cgi?id=3155
Bug ID: 3155
Summary: openssh support hostkey encrypt
Product: Portable OpenSSH
Version: 8.2p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
2015 Jan 30
5
[Bug 2346] New: sshd -T doesn't write all configuration options in valid format
https://bugzilla.mindrot.org/show_bug.cgi?id=2346
Bug ID: 2346
Summary: sshd -T doesn't write all configuration options in
valid format
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component:
2015 Dec 23
2
Why hostkeys-00@openssh.com is following user authentication?
Hello,
This hostkeys extension is great, reading[1]:
"""
OpenSSH supports a protocol extension allowing a server to inform a
client of all its protocol v.2 host keys after user-authentication has
completed.
"""
I wonder, why should user authentication be completed before this
functionality is available? This means that ssh-keyscan tool (for
example) cannot take
2002 Apr 15
0
[Bug 216] New: ssh-keygen vs. SSH Version 2.0.13 hostkeys
http://bugzilla.mindrot.org/show_bug.cgi?id=216
Summary: ssh-keygen vs. SSH Version 2.0.13 hostkeys
Product: Portable OpenSSH
Version: 3.1p1
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: ssh-keygen
AssignedTo: openssh-unix-dev at mindrot.org
2012 Nov 21
1
HostKey in hardware?
Hi,
Is there any way to store HostKey in hardware (and delegate the related
processing)?
I have been using Roumen Petrov's x509 patch for clients, which works via an
OpenSSL engine, but it does not seem to support server HostKey:
http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html
For PKCS#11, I have found an email on this list from a year back suggesting
this
2003 Jun 20
1
[PATCH] accepting changed hostkeys
Hi,
I often change the machines (and thus the hostkeys) that are on a IP (a
service environment with a IP assinged for the machine to test).
So every time I want to connect to a new machine I have to delete the previous
key from the known_hosts file.
Since I got tired of running a remove script manually, I made this small patch
which adds the possibility to replace the real key with the
2013 Jul 25
2
[Bug 2131] New: ssh: list known names (if any) for new hostkeys
https://bugzilla.mindrot.org/show_bug.cgi?id=2131
Bug ID: 2131
Summary: ssh: list known names (if any) for new hostkeys
Product: Portable OpenSSH
Version: 6.2p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at
2015 Feb 20
3
SUCCESS: OpenSSH_6.7p1-snap20150220
Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit.
Really appreciate the UpdateHostkeys feature!
One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys.
Looks like the screen output is missing the CR's, and only LF's get presented.
[root at be2 .ssh]# ssh be1 ls -l
Warning: Permanently added
2015 Feb 21
1
[Bug 2357] New: please add "vhosting" features respectively per-LocalAdress HostKeys/etc.
https://bugzilla.mindrot.org/show_bug.cgi?id=2357
Bug ID: 2357
Summary: please add "vhosting" features respectively
per-LocalAdress HostKeys/etc.
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
2002 Feb 12
3
Problem with ssh-keyscan: no hostkey alg
Hi,
I am using ssh-keyscan with a list of hosts, such as:
ssh-keyscan -t rsa -f hosts_for_keyscan
Some of the hosts in the list have dsa, but no rsa keys. For such
hosts, the command displays:
no hostkey alg
When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.
Here is the part of the
2008 Jun 27
1
HostKey check for remote hosts via local ports
Another issue for which there might be some tricks that I don't know of:
I have a set of ports on my local machine forwarded (via ssh LocalForward) to machines that I can't directly reach on the localhost. However, as I connect to those machines I get HostKey warnings since it looks for the HostKey of the 'localhost' and depending on the port, it is of course different.
Is there