similar to: OpenSSH not requesting PIN code for YubiKey

On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote: > On Fri, 10 Jul 2020, Frank Sharkey wrote: > > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it > > works. However, it does not do PIN enforcement at SSH login. It only > > requests the PIN during the set-up process (when the key is being > > generated). Is that the way it's

https://bugzilla.mindrot.org/show_bug.cgi?id=3188 Bug ID: 3188 Summary: Problems creating a second ecdsa-sk key for a second Yubikey Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen

On Feb 17, 2020, at 9:45 PM, Damien Miller <djm at mindrot.org> wrote: > On Mon, 17 Feb 2020, Ron Frederick wrote: >> I?m trying out the ?resident key? functionality in OpenSSH 8.2, and >> I?m having trouble getting it to find keys that I?ve created. >> >> I?m trying to create a new resident key using: >> >> ssh-keygen -O resident -t ed25519-sk -f

Hello, I?m trying out the ?resident key? functionality in OpenSSH 8.2, and I?m having trouble getting it to find keys that I?ve created. I?m trying to create a new resident key using: ssh-keygen -O resident -t ed25519-sk -f <filename> This creates a key, but I?m not actually sure it is creating a ?resident? key, as when I try to dump out the resident keys with either ?ssh-keygen -K?

On Mon, Jul 20, 2020 at 09:27:16AM +1000, Damien Miller wrote: > On Sun, 19 Jul 2020, Domenico Andreoli wrote: > > > On Mon, Jul 13, 2020 at 01:34:37PM +1000, Damien Miller wrote: > > > On Fri, 10 Jul 2020, Frank Sharkey wrote: > > > > > > > I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it > > > > works. However, it

On Mon, 13 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote: > Lack of time on the Open Source projects is understandable, and not uncommon. > > However, PKCS11 has been in the codebase practically forever - the ECC > patches that I saw did not alter the API or such. It is especially > non-invasive when digital signature is concerned. > > Considering how long those patches have

Hi, As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" or "ecdsa-sk" for short (the "sk" stands for "security key"). If you're not familiar with U2F, this is an open standard for making inexpensive hardware security tokens. These are easily the cheapest way

Hi all, Thanks for all your hard work! I was particularly excited to see FIDO/U2F support in the latest release. I'd like to make the following bug report in ssh-agent's PKCS#11 support: Steps to reproduce: 1. Configure a smart card (e.g. Yubikey in PIV mode) as an SSH key. 2. Add that key to ssh-agent. 3. Remove that key from ssh-agent. 4. Add that key to ssh-agent. Expected results:

Hey all, I'm trying to install the fedora-packager group so that I can build Fedora source packages into RPMs that I can install. I'm getting this error: Error: Package: fedora-packager-0.6.0.1-1.el6.noarch (epel) Requires: python-yubico <SNIP> [root at peach ~]# yum install python-yubico <SNIP> No package python-yubico available. Do you suppose that maybe this

On 01/10/17 13:12, Tony Schreiner wrote: > On Tue, Jan 10, 2017 at 11:12 AM, Mark LaPierre <marklapier at gmail.com> > wrote: > >> Hey all, I'm trying to install the fedora-packager group so that I can >> build Fedora source packages into RPMs that I can install. I'm getting >> this error: >> >> Error: Package:

Hi, I'm interested in extending OpenSSH's PKCS#11 code to support ECDSA keys, but have so far been unable to find anyone who can sell me a smartcard that supports it. They certainly exist - AFAIK it's required by the US PIV standard, but obtaining cards that support it in single digit quantities seems all but impossible. Can anybody on this list help? I'd want 2-6 cards/tokens

https://bugzilla.mindrot.org/show_bug.cgi?id=2638 Bug ID: 2638 Summary: Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement

Dear all, I did try to google search the archives [1] but cannot find any information on this. Would it be possible to somehow implement a passwordless (or as a 2FA) to login to a remote samba (linux server)? Any suggestions greatly appreciated, Greg 1. https://lists.samba.org/archive/samba/

Hey, Judging from the (private) responses I?ve got, there is quite a bit of interest in the U2F feature I proposed a while ago. Therefore, I?ve taken some time to resolve the remaining issues, and I think the resulting patch (attached to this email) is in quite a good state now. I also posted the new version of the patch to https://bugzilla.mindrot.org/show_bug.cgi?id=2319 (which I?ve opened

I don't see a way to do this currently (unless I am missing something) but I would like to be able to specify, that in order for a user to login, they need to use at least 1 public key from 2 separate key sources.? Specifically this would be when using "AuthenticationMethods publickey,publickey".? Right now requiring 2 public keys for authentication will allow 2 public keys from

https://bugzilla.mindrot.org/show_bug.cgi?id=2635 Bug ID: 2635 Summary: Unable to use SSH Agent and user level PKCS11Provider configuration directive Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=2890 Bug ID: 2890 Summary: ssh-agent should not fail after removing and inserting smart card Product: Portable OpenSSH Version: 7.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=3355 Bug ID: 3355 Summary: no-touch-required flag not restored from hardware token Product: Portable OpenSSH Version: 8.4p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen

On 2019-11-14, Damien Miller <djm at mindrot.org> wrote: > Please give this a try - security key support is a substantial change and > it really needs testing ahead of the next release. Hi Damien, Thanks for working on security key support, this is a really nice feature to have in openssh. My non-FIDO2 security key (YubiKey NEO) doesn't work with the latest changes to openssh

https://bugzilla.mindrot.org/show_bug.cgi?id=2319 Bug ID: 2319 Summary: [PATCH REVIEW] U2F authentication Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at