similar to: would it be possible to extend TrustedUserCAKeys so that certain keys could not be used to authenticate a particular user?

https://bugzilla.mindrot.org/show_bug.cgi?id=2487 Bug ID: 2487 Summary: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement

I am trying to find out how I can use the new self-signed certificates So what I read in the man pages, it should be something like: client: 1) ssh-keygen -f ca_rsa # generate a ssh keypair for use as a certificate Server(s): 2) make sure your /etc/ssh/sshd_config has TrustedUserCAKeys assigned TrustedUserCAKeys /etc/ssh/sshcakeys # or whatever name or location you like 3) edit

On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark <mark.christian at intel.com> wrote: > > On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote: > > As a concrete example: I want Alice to be able to login as "alice" > > and > > "www" to machines in group "webserver" (only). Also, I want Bob to > > be > > able to login as

Hi, There are a few minor tweaks I would like to suggest regrading the recently added TrustedUserCAKeys section in sshd_config(5). TrustedUserCAKeys Specifies a file containing public keys of certificate authorities that are trusted sign user certificates for authentication. Keys are listed one per line, empty lines and comments starting with

Hi, I'm experimenting with certificates for users, giving access via the TrustedUserCAKeys mechanism. Unfortunately, there seems to be a limit of one certificate per SSH key on the user's side, which prevents using the same key for hosts using different TrustedUserCAKeys. Is there a clean way around this? To make the above clearer, consider the following situation: A collection of hosts

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud

I'm working on a small server written in Go to add short-lived user certificates to the forwarded agents of authorized users. https://github.com/rorycl/sshagentca This seems to work quite well for accessing sshd servers with the appropriately configured "TrustedUserCAKeys" directive. I have been in a debate about how similarly adding host certificates to forwarded agents could

On 17/06/20, Damien Miller (djm at mindrot.org) wrote: > > Firstly, given a host CA signing key on the sshagentca server, would an > > appropriately constructed host certificate added to a forwarded agent > > replace the necessity for a '@cert-authority' line in a user's known_hosts > > file? > > I'm not sure I want to add yet another path (the agent)

Hi all, A short while ago I asked a question about multiple imputation and I got several helpful replies, thanks! I have untill now tried to use the packages mice and norm but both give me errors however. mice does not even run to start with and gives me the following error right away: iter imp variable 1 1 Liquidity.ratioError in chol((v + t(v))/2) : the leading minor of order 1 is not

Hi everyone, In case anyone's interested, I've posted the rpm builds of samba 4.10.4 that I'm using on RHEL7.7. (I run these in VMs, serving as AD DCs for my SOHO). Comments most welcomed. These rpms use the default python2 from the system. http://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.7 http://nova.polymtl.ca/~coyote/dist/samba/samba-4.9.12 Regards, Vincent

Hi All, Please pardon me if it is the wrong list to ask how-to etc. I am having an issue with the Signed SSH keys. I am being asked for the passphrase for my signed public key, even though I don't have any. I am running CentOS7 with OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013. 1) I have ca server with ca user keys (ca-user-key.pub) 2) I created user ssh rsa keys (user-id-org and

On Thu, June 16, 2016 14:23, Valeri Galtsev wrote: > > On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote: >> >> I doubt that most users check the dates on SSL certificates, >> unless they are familiar enough with TLS to understand that >> a shorter validity period is better for security. > > Oh, this is what he meant: Cert validity period. Though I agree >

As background, I read: http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/ http://www.ibm.com/developerworks/aix/library/au-sshsecurity/ http://bryanhinton.com/blog/openssh-security http://www.linuxhowtos.org/manpages/5/sshd_config.htm

What part of ?Password Authentication is disabled? do you not understand? > Am 18.12.2016 um 11:21 schrieb Nico Kadel-Garcia <nkadel at gmail.com>: > > On Sat, Dec 17, 2016 at 7:37 PM, Philipp Vlassakakis > <philipp at vlassakakis.de> wrote: >> Dear list members, >> >> I want to extend the logging of the openssh-server, so it also logs the entered

I''m about to implement this, and I''m thinking of storing the user''s id and their hashed password in the cookie after a successful authentication. can any see an obvious security issue with this? I know the method is vulnerable to cookie theft but am i missing anything? thanks alan

hi all I am using Ubuntu Dapper at the moment (after using windows for so long) dualbooting alongside windows So i have all my games and applications for windows... One of those games is Grand Theft Auto San Andreas. Using wine i'm trying to run gtasa from my windows partiton (yes it is NTFS filesystem) and it keeps telling me that it couldn't find the sound card. So can someone tell

Hello, Can anybody point me to a sample of popup/tooltip using Prototype? I saw examples for windows and also for tool tip but what I want is a little bit different. I want the same fuctionality which exists at yahoo mail login. https://login.yahoo.com/ -> on the right corner you have a Prevent Password Theft image. On mouse over you see a tooltip. Now the good think in this solution is that

After downloading the first two Grand Theft Auto games from the Rockstar Classics website, and installing the first game I received this error: > MGL Fatal Error! > Error 268.473 > Cannot find a suitable display mode. After a bit of searching, I believe that this is a problem with running the game under Wine, and not with my PC. Then, although I probably should have checked first, I

> What would you recommand ? Are there any other elegant solutions ? > How about using 802.1Q vlan's and dedicate a vlan to each port. If more than 4000 users then add more gateways. Just be sure to go for switches that allow you to deny incoming already tagged packets on the user side as some switches passes already tagged packets. For a wireless environment i would suggest PPPoE

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and