[Bug 1974] Support for encrypted host keys

2016-08-01 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller  changed:

   What|Removed |Added

 Status|RESOLVED|CLOSED

--- Comment #13 from Damien Miller  ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-19 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller d...@mindrot.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED
 Blocks||2076

--- Comment #12 from Damien Miller d...@mindrot.org ---
Markus has committed this. It will be in openssh-6.3. Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-17 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller d...@mindrot.org changed:

   What|Removed |Added

   Attachment #2309||ok+
  Flags||

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-07 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Markus Friedl mar...@openbsd.org changed:

   What|Removed |Added

   Attachment #2303|0   |1
is obsolete||
   Attachment #2306|0   |1
is obsolete||
   Attachment #2307|0   |1
is obsolete||
   Attachment #2308|0   |1
is obsolete||

--- Comment #11 from Markus Friedl mar...@openbsd.org ---
Created attachment 2309
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2309action=edit
updated patch (against openbsd cvs)

fixes HostKeyAgent=SSH_AUTH_SOCK and
only opens the agent connection if HostKeyAgent
is actually configured.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-06 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #9 from Markus Friedl mar...@openbsd.org ---
Created attachment 2308
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2308action=edit
full patch, including HostKeyAgent option, no ssh-keysign changes

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-06 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller d...@mindrot.org changed:

   What|Removed |Added

   Attachment #2308||ok+
  Flags||

--- Comment #10 from Damien Miller d...@mindrot.org ---
Comment on attachment 2308
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2308
full patch, including HostKeyAgent option, no ssh-keysign changes

nice!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #4 from Markus Friedl mar...@openbsd.org ---
oops, i've forgotten that we already have ServerOptions

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #5 from Markus Friedl mar...@openbsd.org ---
Created attachment 2306
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2306action=edit
(relative) patch that makes rekey work

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #6 from Markus Friedl mar...@openbsd.org ---
Created attachment 2307
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2307action=edit
full patch (against openbsd cvs)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #7 from Damien Miller d...@mindrot.org ---
Comment on attachment 2307
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2307
full patch (against openbsd cvs)

Looks good

@@ -1906,9 +1947,11 @@ main(int ac, char **av)
   buffer_init(loginmsg);
   auth_debug_reset();
 
-  if (use_privsep)
+  if (use_privsep) {
   if (privsep_preauth(authctxt) == 1)
   goto authenticated;
+  } else if (compat20)
+  auth_conn = ssh_get_authentication_connection();

Should agent use be dependent on a config option or a different
environment variable to SSH_AUTH_SOCK? I'd worry about people
restarting sshd and having it pick up their own agent...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-07-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller d...@mindrot.org changed:

   What|Removed |Added

 CC||d...@mindrot.org

--- Comment #8 from Damien Miller d...@mindrot.org ---

 2) however: i don't like the idea of having ssh-keysign
run the parser code while running w/ uid 0

At least in this case the configs are root-owned.

we should avoid running that much code in a setuid tool...
perhaps just disallow ssh-keysign for ssh-agent-setups :)

I don't think we would get many complaints about this :)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2013-06-25 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Zev Weiss z...@bewilderbeest.net changed:

   What|Removed |Added

 CC||z...@bewilderbeest.net
   Attachment #2125|0   |1
is obsolete||

--- Comment #1 from Zev Weiss z...@bewilderbeest.net ---
Created attachment 2303
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2303action=edit
Incomplete patch for sshd to use ssh-agent for hostkeys

From mailing list post:

...assuming things look OK thus far, I'm considering how best to handle
the ssh-keysign problem.  Since it's executed by a user's ssh client,
it
won't have the server's SSH_AUTH_SOCK environment variable, so finding
the
socket to connect to is slightly tricky -- any problems with changing
it to
a (configurable) static, globally-known path?  Assuming not, then
there's
the question of *where* that would be configured -- sshd would need to
know
it, but ssh-keysign reads ssh_config, not sshd_config; requiring the
user
to configure the same path in both seems undesirable, as does having
either
one loading the other's config file.  I guess making it compile-time
configurable would sort of work, but also doesn't seem like a great
solution.  Any thoughts or suggestions on this?  Having a static,
configurable socket path does seem nice otherwise, so sshd could just
spawn
its own agent passing -a $SOCKETPATH if it encounters an encrypted
hostkey on startup, rather than, say, relying on an init script to
launch
ssh-agent and export the SSH_AUTH_SOCK variable to sshd (though I
suppose
there's really nothing stopping it from doing that anyway without a
static
socket path).

This version also (somewhat unnecessarily) bundles public keys into the
sensitive_data struct, but I didn't really see a more appropriate place
to
stash those.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1974] Support for encrypted host keys

2012-02-09 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Petr Cerny [:hrosik] pce...@suse.cz changed:

   What|Removed |Added

 CC||pce...@suse.cz

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs