Displaying 20 results from an estimated 1000 matches similar to: "OpenSSH not requesting PIN code for YubiKey"
2020 Jul 19
2
OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:
> On Fri, 10 Jul 2020, Frank Sharkey wrote:
>
> > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> > works. However, it does not do PIN enforcement at SSH login. It only
> > requests the PIN during the set-up process (when the key is being
> > generated). Is that the way it's
2020 Jun 26
14
[Bug 3188] New: Problems creating a second ecdsa-sk key for a second Yubikey
https://bugzilla.mindrot.org/show_bug.cgi?id=3188
Bug ID: 3188
Summary: Problems creating a second ecdsa-sk key for a second
Yubikey
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
2020 Feb 18
2
Resident keys?
On Feb 17, 2020, at 9:45 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 17 Feb 2020, Ron Frederick wrote:
>> I?m trying out the ?resident key? functionality in OpenSSH 8.2, and
>> I?m having trouble getting it to find keys that I?ve created.
>>
>> I?m trying to create a new resident key using:
>>
>> ssh-keygen -O resident -t ed25519-sk -f
2020 Feb 18
2
Resident keys?
Hello,
I?m trying out the ?resident key? functionality in OpenSSH 8.2, and I?m having trouble getting it to find keys that I?ve created.
I?m trying to create a new resident key using:
ssh-keygen -O resident -t ed25519-sk -f <filename>
This creates a key, but I?m not actually sure it is creating a ?resident? key, as when I try to dump out the resident keys with either ?ssh-keygen -K?
2020 Jul 20
2
OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)
On Mon, Jul 20, 2020 at 09:27:16AM +1000, Damien Miller wrote:
> On Sun, 19 Jul 2020, Domenico Andreoli wrote:
>
> > On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote:
> > > On Fri, 10 Jul 2020, Frank Sharkey wrote:
> > >
> > > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it
> > > > works. However, it
2018 Aug 13
8
Why still no PKCS#11 ECC key support in OpenSSH ?
On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:
> Lack of time on the Open Source projects is understandable, and not uncommon.
>
> However, PKCS11 has been in the codebase practically forever - the ECC
> patches that I saw did not alter the API or such. It is especially
> non-invasive when digital signature is concerned.
>
> Considering how long those patches have
2019 Nov 01
10
U2F support in OpenSSH HEAD
Hi,
As of this morning, OpenSSH now has experimental U2F/FIDO support, with
U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com"
or "ecdsa-sk" for short (the "sk" stands for "security key").
If you're not familiar with U2F, this is an open standard for making
inexpensive hardware security tokens. These are easily the cheapest way
2020 Feb 22
3
Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
Hi all,
Thanks for all your hard work! I was particularly excited to see
FIDO/U2F support in the latest release.
I'd like to make the following bug report in ssh-agent's PKCS#11 support:
Steps to reproduce:
1. Configure a smart card (e.g. Yubikey in PIV mode) as an SSH key.
2. Add that key to ssh-agent.
3. Remove that key from ssh-agent.
4. Add that key to ssh-agent.
Expected results:
2017 Jan 10
4
Missing Dependency python-yubico
Hey all, I'm trying to install the fedora-packager group so that I can
build Fedora source packages into RPMs that I can install. I'm getting
this error:
Error: Package: fedora-packager-0.6.0.1-1.el6.noarch (epel)
Requires: python-yubico
<SNIP>
[root at peach ~]# yum install python-yubico
<SNIP>
No package python-yubico available.
Do you suppose that maybe this
2017 Jan 10
1
Missing Dependency python-yubico
On 01/10/17 13:12, Tony Schreiner wrote:
> On Tue, Jan 10, 2017 at 11:12 AM, Mark LaPierre <marklapier at gmail.com>
> wrote:
>
>> Hey all, I'm trying to install the fedora-packager group so that I can
>> build Fedora source packages into RPMs that I can install. I'm getting
>> this error:
>>
>> Error: Package:
2024 Oct 21
2
Security of ssh across a LAN, public key versus password
Stuart Henderson wrote:
>> This is why I push for challenge/response tokens, not simply
>> cert authentication, and really wish that FIDO (such as yubikey)
>> was an option, but the discussions I've seen about suporting
>> that have not been encouraging.
>
> hmm? That works pretty well in OpenSSH.
hmm, what I'm finding doesn't seem to use the FIDO
2014 Jan 31
1
Wanted: smartcard with ECDSA support
Hi,
I'm interested in extending OpenSSH's PKCS#11 code to support ECDSA
keys, but have so far been unable to find anyone who can sell me
a smartcard that supports it.
They certainly exist - AFAIK it's required by the US PIV standard,
but obtaining cards that support it in single digit quantities
seems all but impossible.
Can anybody on this list help? I'd want 2-6 cards/tokens
2016 Nov 11
10
[Bug 2638] New: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
https://bugzilla.mindrot.org/show_bug.cgi?id=2638
Bug ID: 2638
Summary: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the
private objects
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
Hi David,
> hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the
> server, instead it looks like a public/private key that's unlocked with a touch,
> possibly storing the private key on the hardware dongle (but it seems like
> there's still a key you need to put on the client system)
>
> Quoting from the yubikey website:
> OpenSSH
2024 Oct 21
1
Security of ssh across a LAN, public key versus password
On 2024/10/21 12:02, David Lang via openssh-unix-dev wrote:
> A cert is a single factor, so is a password. Cert authentication
> is only two factor if you trust that the password is not stored
> along with the cert (which is on the untrusted client)
You can tell sshd to require *both* password and public key.
> This is why I push for challenge/response tokens, not simply
> cert
2019 Nov 07
2
samba login with U2F token
Dear all,
I did try to google search the archives [1] but cannot find any
information on this.
Would it be possible to somehow implement a passwordless (or as a 2FA)
to login to a remote samba (linux server)?
Any suggestions greatly appreciated,
Greg
1. https://lists.samba.org/archive/samba/
2014 Dec 24
2
[PATCH] U2F support in OpenSSH
Hey,
Judging from the (private) responses I?ve got, there is quite a bit of
interest in the U2F feature I proposed a while ago. Therefore, I?ve taken
some time to resolve the remaining issues, and I think the resulting patch
(attached to this email) is in quite a good state now.
I also posted the new version of the patch to
https://bugzilla.mindrot.org/show_bug.cgi?id=2319 (which I?ve opened
2020 Jun 03
7
Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source
I don't see a way to do this currently (unless I am missing something)
but I would like to be able to specify, that in order for a user to
login, they need to use at least 1 public key from 2 separate key
sources.? Specifically this would be when using "AuthenticationMethods
publickey,publickey".? Right now requiring 2 public keys for
authentication will allow 2 public keys from
2016 Oct 27
11
[Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive
https://bugzilla.mindrot.org/show_bug.cgi?id=2635
Bug ID: 2635
Summary: Unable to use SSH Agent and user level PKCS11Provider
configuration directive
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
2018 Jul 31
11
[Bug 2890] New: ssh-agent should not fail after removing and inserting smart card
https://bugzilla.mindrot.org/show_bug.cgi?id=2890
Bug ID: 2890
Summary: ssh-agent should not fail after removing and inserting
smart card
Product: Portable OpenSSH
Version: 7.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: