Displaying 20 results from an estimated 3000 matches similar to: "[Bug 3155] New: openssh support hostkey encrypt"
2020 Sep 09
5
[Bug 3211] New: A
https://bugzilla.mindrot.org/show_bug.cgi?id=3211
Bug ID: 3211
Summary: A
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: kircherlike at
2015 Jun 20
2
sshd and consequences of HostKeyAgent
Hello,
I tried to use HostKeyAgent with sshd 6.7 under Linux. That worked for
Linux clients. However, when I tried to connect from OpenSSH 6.2 under
Mac OS X, the server disconnects:
debug2: bits set: 1026/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
Connection closed by 84.22.97.209
When I disabled HostKeyAgent and switched HostKey back to the private
2019 Aug 06
2
[PATCH v2] Remove sshkey_load_private()
Remove sshkey_load_private(), as this function's role
is similar to sshkey_load_private_type().
---
Dependency:
This change depends over recently merged change in openbsd:
https://github.com/openbsd/src/commit/b0c328c8f066f6689874bef7f338179145ce58d0
Change log:
v1->v2
- Remove declaration of sshkey_load_private() in authfile.h
authfile.c | 38
2013 Jun 25
1
RFC: encrypted hostkeys patch
Hi,
About a year and a half ago I brought up the topic of encrypted hostkeys
and posted a patch
(http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2), and while the
general reaction seemed receptive to the idea, a few problems were pointed
out with the implementation (UI issues, ssh-keysign breakage).
I've finally had some spare time in which to get back to this, and I've
2012 Nov 21
1
HostKey in hardware?
Hi,
Is there any way to store HostKey in hardware (and delegate the related
processing)?
I have been using Roumen Petrov's x509 patch for clients, which works via an
OpenSSL engine, but it does not seem to support server HostKey:
http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html
For PKCS#11, I have found an email on this list from a year back suggesting
this
2020 Apr 25
2
[PATCH 1/3] Add private key protection information extraction to ssh-keygen
Add private key protection information extraction to shh-keygen using -v
option on top of -y option which is already parsing the private key.
Technically, the passphrase isn't necessary to do this, but it is the
most logical thing to do for me.
Adding this to -l option is not appropriate because fingerprinting is
using the .pub file when available.
An other idea is to add a new option, I
2002 Feb 12
3
Problem with ssh-keyscan: no hostkey alg
Hi,
I am using ssh-keyscan with a list of hosts, such as:
ssh-keyscan -t rsa -f hosts_for_keyscan
Some of the hosts in the list have dsa, but no rsa keys. For such
hosts, the command displays:
no hostkey alg
When this is the case for 2 hosts, this message appears twice AND
SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are
returned for the following hosts.
Here is the part of the
2008 Jun 27
1
HostKey check for remote hosts via local ports
Another issue for which there might be some tricks that I don't know of:
I have a set of ports on my local machine forwarded (via ssh LocalForward) to machines that I can't directly reach on the localhost. However, as I connect to those machines I get HostKey warnings since it looks for the HostKey of the 'localhost' and depending on the port, it is of course different.
Is there
2024 Sep 23
1
[PATCH] sshd: Add pkcs11 support for HostKey.
Hello,
OpenSSH supports PKCS#11 on the client side, but that does not extend to
the server side. I would like to bring PKCS#11 support to sshd.
I am working on embedded Linux systems with integrated HSM. The sshd
host key is stored on the HSM. To have sshd using that key, we rely on
the following chain:
sshd -> OpenSSL -> OpenSSL Engine -> HSM Having
PKCS#11 support in sshd, would
2002 Jan 31
7
x509 for hostkeys.
This (very quick) patch allows you to connect with the commercial
ssh.com windows client and use x509 certs for hostkeys. You have
to import your CA cert (ca.crt) in the windows client and certify
your hostkey:
$ cat << 'EOF' > x509v3.cnf
CERTPATHLEN = 1
CERTUSAGE = digitalSignature,keyCertSign
CERTIP = 0.0.0.0
[x509v3_CA]
2013 Jun 26
12
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974
Zev Weiss <zev at bewilderbeest.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |zev at bewilderbeest.net
Attachment #2125|0 |1
is obsolete|
2019 Oct 21
2
Multiple Signatures on SSH-Hostkeys
Hello, OpenSSH-wizards.
In our company, we have looked into SSH-HostKey-signing in order to
realize automated access without the need to accept the server's
hostkey, manually.
I got it to work with the HostCertificate-directive inside the
sshd_config.
Now, I was wondering whether it is possible to have multiple
signatures, so I can, for example, sign the hostkey once with a
2024 Nov 12
3
[PATCH 0/2] Specify signature algorithm during server hostkeys prove
From: Maxime Rey <maximejeanrey at gmail.com>
Hello,
I've discovered an issue with sshd when it's configured to use the SSH agent
alongside multiple host keys. Specifically, this problem happens during the
hostkeys-prove-00 at openssh.com request, when the server attempts to
demonstrate ownership of the host keys by calling the agent.
The issue occurs because, while processing the
2007 Jan 30
3
[Bug 1279] Address- and/or port-specific HostKeys support
http://bugzilla.mindrot.org/show_bug.cgi?id=1279
Summary: Address- and/or port-specific HostKeys support
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy:
2005 Jul 18
1
problem moving hostkey from ssh version 3.5p1 to 3.8p
Hi,
I am trying to upgrade from OpenSSH_3.5p1 FreeBSD 4.8 to
OpenSSH_3.8p1 (Suse 9.1). Although the host rsa and dsa
keys have been copied over from old to new machine, linux ssh
clients (3.8p1) still bring up the new-key alert. ssh clients
from freebsd machines till OpenSSH_3.6.1p1 work fine with
the setup (without the new key alert)
ssh -vv shows linux clients are looking for type 0 and type
2020 Jun 17
7
[Bug 3182] New: openssh-8.2 make ClientAliveCountMax=0 disable the connection
https://bugzilla.mindrot.org/show_bug.cgi?id=3182
Bug ID: 3182
Summary: openssh-8.2 make ClientAliveCountMax=0 disable the
connection
Product: Portable OpenSSH
Version: 8.2p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
2002 Jun 05
1
Per-port hostkeys
My apologies if this has been covered already. My search of the archives
was unfruitful.
OpenSSH seems to be lacking a certain capability present in ssh.com's
client; namely, the ability to store remote hostkeys on a per-port basis.
I have various machines that, due to iptables port-forwarding, appear to
be running copies of (open)sshd on multiple ports. "Commercial" ssh
stores
2023 Jun 30
0
[centos/centos.org] branch main updated: Adding new hostkey.com sponsor
This is an automated email from the git hooks/post-receive script.
arrfab pushed a commit to branch main
in repository centos/centos.org.
The following commit(s) were added to refs/heads/main by this push:
new 860d2c9 Adding new hostkey.com sponsor
860d2c9 is described below
commit 860d2c965949164c393d15685d1c49c3d3b8d637
Author: Fabian Arrotin <arrfab at centos.org>
AuthorDate: Fri
2011 Nov 03
1
Help with CA Certificates for user authentication?
As background, I read:
http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/
http://www.ibm.com/developerworks/aix/library/au-sshsecurity/
http://bryanhinton.com/blog/openssh-security
http://www.linuxhowtos.org/manpages/5/sshd_config.htm
2013 Jan 16
2
HostKey Management
Hi,
As far as I can tell, when working in an environment with many servers,
there seem to be several ways for your client to authenticate the
HostKeys of each:
1) Set StrictHostKeyChecking=no, and hope you don't get MITM'd the first
time you connect to a server.
2) Use SSHFP records (which generally requires you to have DNSSEC fully
deployed to be meaningful compared to #1, I think?)