similar to: ssh-agent hides sk "confirm user presence" message

On Mon, 16 Oct 2023, openssh at tr.id.au wrote: > Hey there, > > I've noticed some unexpected behavior when I occasionally need to forward an ed25519-sk key with ssh-agent. When using the key without an agent, it prompts with a reminder to touch the key: > > $ ssh user at remote > Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Hey Damien, > Generally we prefer to use ssh-askpass for agent notifications. Are you able to use that? Hmm, okay, but it's not clear to me how to make that work. Is what you have in mind documented somewhere? I don't see this specific situation covered in the manpages and a web search doesn't turn up much. I thought ssh-askpass was only invoked when the key is first added to the

On 16.10.23 04:59, Damien Miller wrote: > On Mon, 16 Oct 2023, openssh at tr.id.au wrote: >> When using the key without an agent, it prompts with a reminder to touch the key: >> >> $ ssh user at remote >> Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX [...] >> But as soon as I add the key to an agent, it now hides that

Hi, It seems that some versions of ssh-agent get confused by ECDSA-SK keys. >From my OpenBSD-current laptop, I'm trying to do remote system adminstration on a machine running Debian 8 with the stock ssh package (OpenSSH_6.7p1 Debian-5+deb8u8, OpenSSL 1.0.2l 25 May 2017). I need access to a remote gitlab server to fetch files with git, using an ED25519 key in my ssh-agent. Once connected

I spent some time today implementing support for loading U2F keys into the SSH agent from my AsyncSSH library. I got it working, but along the way I ran into a few issues I wanted to report: First, it looks like the value of SSH_AGENT_CONSTRAIN_EXTENSION has changed from the value 3 defined at https://tools.ietf.org/html/draft-miller-ssh-agent-02

On Fri, Jan 09, 2015 at 13:00:10 -0800, grantksupport at operamail.com wrote: > Hi > > On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote: > > >> The one you are missing is EnableSSHKeysign. > > > > I suppose it's worth asking: is your ssh-keysign suid root > > (and are the permissions on your host keys sufficiently tight)? > > Note that

Thomas Calderon <calderon.thomas at gmail.com> writes: > Hi, > > There is no need to add new mechanism identifiers to use specific curves. > > This can be done already using the CKM_ECDSA mechanism parameters (see > CKA_ECDSA_PARAMS > in the standard). > Given that the underlying HW or SW tokens supports Ed25519 curves, then you > could leverage it even with

https://bugzilla.mindrot.org/show_bug.cgi?id=3572 Bug ID: 3572 Summary: ssh-agent refused operation when using FIDO2 with -O verify-required Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component:

On 10/8/2015 4:49 AM, Simon Josefsson wrote: > Mathias Brossard <mathias at brossard.org> writes: > >> Hi, >> >> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >> support of ssh-agent which will be of interest to other users. > > Nice! What would it take to add support for Ed25519 too? Do we need to > allocate any new PKCS#11

On Fri, Jan 09, 2015 at 12:22:00 -0800, grantksupport at operamail.com wrote: > @client > > as root (as before) > > ssh server.DOMAIN.COM > Permission denied (hostbased). > > instead, as my user, fails differently for some reason, > > ssh server.DOMAIN.COM > ... > no matching hostkey found for key ED25519

https://bugzilla.mindrot.org/show_bug.cgi?id=3253 Bug ID: 3253 Summary: ssh-keygen man page still lists deprecated key types for -t Product: Portable OpenSSH Version: 8.4p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh-keygen

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

https://bugzilla.mindrot.org/show_bug.cgi?id=3577 Bug ID: 3577 Summary: CASignatureAlgorithms supports -cert alogrithms Product: Portable OpenSSH Version: 9.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at

Hey all, I am trying to get a modified hostname (converting "blah-1234567" to "1234567") to use in my manifests and templates. I have it working for templates by using Ruby (*<%= hostname.split(''-'').pop.downcase %>*) but I haven''t been able to use it in manifests because they don''t process ERB. The way I see it I could do one of two

I run OpenSSH on linux @ client which ssh /usr/local/bin/ssh ssh -v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 @ server which sshd /usr/local/bin/sshd sshd -v unknown option -- V OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time]

Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure

On Sun, Dec 21, 2014 at 5:25 PM, Damien Miller <djm at mindrot.org> wrote: > On Fri, 19 Dec 2014, Dmt Ops wrote: > > > I added an EXPLICIT > > > > AuthenticationMethods publickey,keyboard-interactive > > + UsePam yes > > > > to sshd_config. Now, at connect attempt I get > > > > Password: > > Verification code: > >

On Wed, Sep 30, 2020 at 03:35:43PM +1000, Damien Miller <djm at mindrot.org> wrote: > On Wed, 30 Sep 2020, raf wrote: > > > Hi, > > > > I have a VM with a git repository whose origin is on > > github. I have several keys known to github, so I needed > > to set git's core.sshcommand config parameter in the > > repository to something like this:

Hi, I have created an agent node from a master node using below command. puppet node_aws create --image ami-cc5af9a5 --keyname icos-client --type ti.micro Now as i am trying to install puppet on it using below command puppet node install \ --install-script=puppet- enterprise \ --installer-payload=/usr/local/puppet/puppet-2.7.0.tar.gz \ --installer-answers=/usr/local/puppet/agent.txt \

Hi, Markus has just committed a few changes that add support for the Ed25519 signature algorithm[1] as a new private key type. This algorithm has a few benefits: it is fast (comparable to ECDSA and RSA), offers 256-bit security and doesn't require random numbers to generate a signature. This last property means it completely avoids (EC-)DSA's horrible, private-key leaking problem when fed