[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Damien Millerchanged: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #13 from Damien Miller --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Damien Miller d...@mindrot.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED Blocks||2076 --- Comment #12 from Damien Miller d...@mindrot.org --- Markus has committed this. It will be in openssh-6.3. Thanks! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Damien Miller d...@mindrot.org changed: What|Removed |Added Attachment #2309||ok+ Flags|| -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Markus Friedl mar...@openbsd.org changed: What|Removed |Added Attachment #2303|0 |1 is obsolete|| Attachment #2306|0 |1 is obsolete|| Attachment #2307|0 |1 is obsolete|| Attachment #2308|0 |1 is obsolete|| --- Comment #11 from Markus Friedl mar...@openbsd.org --- Created attachment 2309 -- https://bugzilla.mindrot.org/attachment.cgi?id=2309action=edit updated patch (against openbsd cvs) fixes HostKeyAgent=SSH_AUTH_SOCK and only opens the agent connection if HostKeyAgent is actually configured. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 --- Comment #9 from Markus Friedl mar...@openbsd.org --- Created attachment 2308 -- https://bugzilla.mindrot.org/attachment.cgi?id=2308action=edit full patch, including HostKeyAgent option, no ssh-keysign changes -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Damien Miller d...@mindrot.org changed: What|Removed |Added Attachment #2308||ok+ Flags|| --- Comment #10 from Damien Miller d...@mindrot.org --- Comment on attachment 2308 -- https://bugzilla.mindrot.org/attachment.cgi?id=2308 full patch, including HostKeyAgent option, no ssh-keysign changes nice! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 --- Comment #4 from Markus Friedl mar...@openbsd.org --- oops, i've forgotten that we already have ServerOptions -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 --- Comment #5 from Markus Friedl mar...@openbsd.org --- Created attachment 2306 -- https://bugzilla.mindrot.org/attachment.cgi?id=2306action=edit (relative) patch that makes rekey work -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 --- Comment #6 from Markus Friedl mar...@openbsd.org --- Created attachment 2307 -- https://bugzilla.mindrot.org/attachment.cgi?id=2307action=edit full patch (against openbsd cvs) -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 --- Comment #7 from Damien Miller d...@mindrot.org --- Comment on attachment 2307 -- https://bugzilla.mindrot.org/attachment.cgi?id=2307 full patch (against openbsd cvs) Looks good @@ -1906,9 +1947,11 @@ main(int ac, char **av) buffer_init(loginmsg); auth_debug_reset(); - if (use_privsep) + if (use_privsep) { if (privsep_preauth(authctxt) == 1) goto authenticated; + } else if (compat20) + auth_conn = ssh_get_authentication_connection(); Should agent use be dependent on a config option or a different environment variable to SSH_AUTH_SOCK? I'd worry about people restarting sshd and having it pick up their own agent... -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Damien Miller d...@mindrot.org changed: What|Removed |Added CC||d...@mindrot.org --- Comment #8 from Damien Miller d...@mindrot.org --- 2) however: i don't like the idea of having ssh-keysign run the parser code while running w/ uid 0 At least in this case the configs are root-owned. we should avoid running that much code in a setuid tool... perhaps just disallow ssh-keysign for ssh-agent-setups :) I don't think we would get many complaints about this :) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Zev Weiss z...@bewilderbeest.net changed: What|Removed |Added CC||z...@bewilderbeest.net Attachment #2125|0 |1 is obsolete|| --- Comment #1 from Zev Weiss z...@bewilderbeest.net --- Created attachment 2303 -- https://bugzilla.mindrot.org/attachment.cgi?id=2303action=edit Incomplete patch for sshd to use ssh-agent for hostkeys From mailing list post: ...assuming things look OK thus far, I'm considering how best to handle the ssh-keysign problem. Since it's executed by a user's ssh client, it won't have the server's SSH_AUTH_SOCK environment variable, so finding the socket to connect to is slightly tricky -- any problems with changing it to a (configurable) static, globally-known path? Assuming not, then there's the question of *where* that would be configured -- sshd would need to know it, but ssh-keysign reads ssh_config, not sshd_config; requiring the user to configure the same path in both seems undesirable, as does having either one loading the other's config file. I guess making it compile-time configurable would sort of work, but also doesn't seem like a great solution. Any thoughts or suggestions on this? Having a static, configurable socket path does seem nice otherwise, so sshd could just spawn its own agent passing -a $SOCKETPATH if it encounters an encrypted hostkey on startup, rather than, say, relying on an init script to launch ssh-agent and export the SSH_AUTH_SOCK variable to sshd (though I suppose there's really nothing stopping it from doing that anyway without a static socket path). This version also (somewhat unnecessarily) bundles public keys into the sensitive_data struct, but I didn't really see a more appropriate place to stash those. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1974] Support for encrypted host keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1974 Petr Cerny [:hrosik] pce...@suse.cz changed: What|Removed |Added CC||pce...@suse.cz -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs