similar to: Multiple Signatures on SSH-Hostkeys

Dear All, I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh But it seems that it can not login with the hostcertificate.: Here is debug message from the ssh client : ssh -2 -oUserKnownHostsFile=/opt/ssh/etc/known_hosts-cert \ > -oGlobalKnownHostsFile=/opt/ssh/etc/known_hosts-cert sshia3 -p 1111 -vvv debug1: checking

I'm working on a small server written in Go to add short-lived user certificates to the forwarded agents of authorized users. https://github.com/rorycl/sshagentca This seems to work quite well for accessing sshd servers with the appropriately configured "TrustedUserCAKeys" directive. I have been in a debate about how similarly adding host certificates to forwarded agents could

From: Maxime Rey <maximejeanrey at gmail.com> Hello, I've discovered an issue with sshd when it's configured to use the SSH agent alongside multiple host keys. Specifically, this problem happens during the hostkeys-prove-00 at openssh.com request, when the server attempts to demonstrate ownership of the host keys by calling the agent. The issue occurs because, while processing the

On 17/06/20, Damien Miller (djm at mindrot.org) wrote: > > Firstly, given a host CA signing key on the sshagentca server, would an > > appropriately constructed host certificate added to a forwarded agent > > replace the necessity for a '@cert-authority' line in a user's known_hosts > > file? > > I'm not sure I want to add yet another path (the agent)

http://bugzilla.mindrot.org/show_bug.cgi?id=1279 Summary: Address- and/or port-specific HostKeys support Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy:

My apologies if this has been covered already. My search of the archives was unfruitful. OpenSSH seems to be lacking a certain capability present in ssh.com's client; namely, the ability to store remote hostkeys on a per-port basis. I have various machines that, due to iptables port-forwarding, appear to be running copies of (open)sshd on multiple ports. "Commercial" ssh stores

This (very quick) patch allows you to connect with the commercial ssh.com windows client and use x509 certs for hostkeys. You have to import your CA cert (ca.crt) in the windows client and certify your hostkey: $ cat << 'EOF' > x509v3.cnf CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign CERTIP = 0.0.0.0 [x509v3_CA]

When connecting to a host for which there's no known hostkey, check if the relevant key has been accepted for other hostnames. This is useful when connecting to a host with a dymamic IP address or multiple names. --- auth.c | 4 ++-- hostfile.c | 42 ++++++++++++++++++++++++++++-------------- hostfile.h | 8 ++++++-- sshconnect.c | 39 +++++++++++++++++++++++++++++++++------

Hello! Like many organizations, we have "disaster-recovery" location, where separate servers are running ready to take up important services should the primary location fail. Some of the services provided involve accepting files over scp (and sftp), and here is the problem... The primary and the secondary hosts use different host-keys... If the hosts were accessed as

Hello, I've found that when using the ssh agent and sshd together, there is an issue when using multiple host keys. Specifically, after the key exchange phase, when a client requests proof of ownership for the host keys via the "hostkeys-prove-00 at openssh.com" request, the server prepares the response without specifying the signature algoorithm in case of non-RSA keys. This leads

Hi, About a year and a half ago I brought up the topic of encrypted hostkeys and posted a patch (http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2), and while the general reaction seemed receptive to the idea, a few problems were pointed out with the implementation (UI issues, ssh-keysign breakage). I've finally had some spare time in which to get back to this, and I've

https://bugzilla.mindrot.org/show_bug.cgi?id=3155 Bug ID: 3155 Summary: openssh support hostkey encrypt Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: security Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=2346 Bug ID: 2346 Summary: sshd -T doesn't write all configuration options in valid format Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

Hello, OpenSSH supports PKCS#11 on the client side, but that does not extend to the server side. I would like to bring PKCS#11 support to sshd. I am working on embedded Linux systems with integrated HSM. The sshd host key is stored on the HSM. To have sshd using that key, we rely on the following chain: sshd -> OpenSSL -> OpenSSL Engine -> HSM Having PKCS#11 support in sshd, would

From: Maxime Rey <maximejeanrey at gmail.com> This tests the hostkey-prove mechanism in sshd when provided with multiple host keys managed by the agent --- regress/hostkey-agent.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 222d424bd..3fa80655e 100644 --- a/regress/hostkey-agent.sh +++

Hello, This hostkeys extension is great, reading[1]: """ OpenSSH supports a protocol extension allowing a server to inform a client of all its protocol v.2 host keys after user-authentication has completed. """ I wonder, why should user authentication be completed before this functionality is available? This means that ssh-keyscan tool (for example) cannot take

http://bugzilla.mindrot.org/show_bug.cgi?id=216 Summary: ssh-keygen vs. SSH Version 2.0.13 hostkeys Product: Portable OpenSSH Version: 3.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit. Really appreciate the UpdateHostkeys feature! One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys. Looks like the screen output is missing the CR's, and only LF's get presented. [root at be2 .ssh]# ssh be1 ls -l Warning: Permanently added

Hi, I often change the machines (and thus the hostkeys) that are on a IP (a service environment with a IP assinged for the machine to test). So every time I want to connect to a new machine I have to delete the previous key from the known_hosts file. Since I got tired of running a remove script manually, I made this small patch which adds the possibility to replace the real key with the