[Bug 1233] "Tunnel" should pass device-name to "LocalCommand"

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=1233

Damien Miller  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|ASSIGNED|RESOLVED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
Bug 2782 depends on bug 1233, which changed state.

Bug 1233 Summary: "Tunnel" should pass device-name to "LocalCommand"
https://bugzilla.mindrot.org/show_bug.cgi?id=1233

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782

Damien Miller  changed:

   What|Removed |Added

 Depends on||2786


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2786
[Bug 2786] New OpenSSH fails to parse public keys with bogus whitespace
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2786] New OpenSSH fails to parse public keys with bogus whitespace

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2786

Damien Miller  changed:

   What|Removed |Added

 Blocks||2782


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2786] New OpenSSH fails to parse public keys with bogus whitespace

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2786

Damien Miller  changed:

   What|Removed |Added

 CC||dtuc...@dtucker.net
   Attachment #3128|ok? |ok?(dtuc...@dtucker.net)
  Flags||

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
Bug 2782 depends on bug 2821, which changed state.

Bug 2821 Summary: ssh-keyscan cannot generate SSHFP fingerprints
https://bugzilla.mindrot.org/show_bug.cgi?id=2821

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2821

Damien Miller  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|ASSIGNED|RESOLVED

--- Comment #2 from Damien Miller  ---
That's applied and will be in OpenSSH 7.7 - thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2821

Darren Tucker  changed:

   What|Removed |Added

   Attachment #3127|ok?(dtuc...@dtucker.net)|ok+
  Flags||

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2785] Add -P ssh option as alias for -p to set the port

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2785

Damien Miller  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 CC||d...@mindrot.org
 Resolution|--- |WONTFIX

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #37 from Damien Miller  ---
Hi Luca, IMO those client-side patches are a bit too intrusive given
that "ip vrf exec" will make them unnecessary in the future once
cgroups v2 is stable and full-featured.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
Bug 2782 depends on bug 2823, which changed state.

Bug 2823 Summary: putty-transfer regression test broken
https://bugzilla.mindrot.org/show_bug.cgi?id=2823

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2823] putty-transfer regression test broken

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2823

Damien Miller  changed:

   What|Removed |Added

 Blocks||2782
 Resolution|--- |FIXED
 CC||d...@mindrot.org
 Status|NEW |RESOLVED

--- Comment #1 from Damien Miller  ---
Committed - thanks.

commit 73282b61187883a2b2bb48e087fdda1d751d6059
Author: d...@openbsd.org 
Date:   Fri Feb 23 03:03:00 2018 +

upstream: unbreak interop test after SSHv1 purge; patch from Colin

Watson via bz#2823

OpenBSD-Regress-ID: 807d30a597756ed6612bdf46dfebca74f49cb31a


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782

Damien Miller  changed:

   What|Removed |Added

 Depends on||2823


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2823
[Bug 2823] putty-transfer regression test broken
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2821

Damien Miller  changed:

   What|Removed |Added

 Blocks||2782


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782

Damien Miller  changed:

   What|Removed |Added

 Depends on||2821


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2821
[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2821

Damien Miller  changed:

   What|Removed |Added

 CC||d...@mindrot.org,
   ||dtuc...@dtucker.net
 Status|NEW |ASSIGNED
   Assignee|unassigned-b...@mindrot.org |d...@mindrot.org
   Attachment #3127||ok?(dtuc...@dtucker.net)
  Flags||

--- Comment #1 from Damien Miller  ---
Created attachment 3127
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3127=edit
Add ssh-keyscan -D flag for output in SSHFP format

Good idea, this is trivial to implement. Here's a patch.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782

Damien Miller  changed:

   What|Removed |Added

 Depends on||2814


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2814
[Bug 2814] Connection error should report failure instead of success
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
Bug 2782 depends on bug 2814, which changed state.

Bug 2814 Summary: Connection error should report failure instead of success
https://bugzilla.mindrot.org/show_bug.cgi?id=2814

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2814] Connection error should report failure instead of success

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2814

Damien Miller  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED
 Blocks||2782

--- Comment #2 from Damien Miller  ---
oops, I committed this a while back:

commit 7c77991f5de5d8475cbeb7cbb06d0c7d1611d7bb
Author: d...@openbsd.org 
Date:   Tue Jan 23 05:17:04 2018 +

upstream commit

try harder to preserve errno during
ssh_connect_direct() to make the final error message possibly
accurate;
bz#2814, ok dtucker@

OpenBSD-Commit-ID: 57de882cb47381c319b04499fef845dd0c2b46ca


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2782] Tracking bug for OpenSSH 7.7 release

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
Bug 2782 depends on bug 2820, which changed state.

Bug 2820 Summary: Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2820] Add support for ssh client to bind to an interface

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2820

Damien Miller  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

--- Comment #6 from Damien Miller  ---
This has been applied and will be in OpenSSH 7.7 - thanks!

commit ac2e3026bbee1367e4cda34765d1106099be3287 (HEAD -> master,
origin/master, origin/HEAD)
Author: d...@openbsd.org 
Date:   Fri Feb 23 02:34:33 2018 +

upstream: Add BindInterface ssh_config directive and -B

command-line argument to ssh(1) that directs it to bind its
outgoing
connection to the address of the specified network interface.

BindInterface prefers to use addresses that aren't loopback or
link-
local, but will fall back to those if no other addresses of the
required family are available on that interface.

Based on patch by Mike Manning in bz#2820, ok dtucker@

OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #11 from Daniel Kucera  ---
(In reply to Jakub Jelen from comment #10)
> Thank you for testing the patch. But your changes again change the
> semantics and issue the pinpad login even if the PIN is NULL, which
> is not what you generally want.

But if CKF_LOGIN_REQUIRED is set why would one want to skip login?

> 
> Or is your card requiring the login also for the listing of public
> keys? What do you get if you try to list the public objects from
> pkcs11-tool?
> 
> pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so

My card requires login for absolutely everything

$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -O
Using slot 0 with a present token (0x1)
$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l
-O
Using slot 0 with a present token (0x1)
Private Key Object; RSA 
  label:  571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID: ...
  Usage:  decrypt, sign
  Access: always authenticate
Certificate Object; type = X.509 cert
  label:  571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID: ...

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #36 from Luca Boccassi  ---
Hi Damien - did you have any chance to have a look at the client
patches?
Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2075] [PATCH] Enable key pair generation on a PCKS#11 device

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2075

Jakub Jelen  changed:

   What|Removed |Added

 CC||jje...@redhat.com

--- Comment #2 from Jakub Jelen  ---
Using ssh-keygen to generate keys on PKCS#11 device is interesting
idea, that I would clearly welcome to avoid using many other tools to
generate keys on smart cards.

But I don't think referring to this key using external file is a way to
go. Can it be done without it? It would simplify the patch by a great
deal.

Also I don't think that the generated key should have the CKA_DECRYPT
attribute set, if it should be used for SSH.

Otherwise, the key-generation changes look reasonable.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2430] ssh-keygen should allow to login before reading public key from smart card

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2430

--- Comment #4 from Jakub Jelen  ---
This issue could be resolved by the PKCS#11 URIs (bug #2817), which
allow the specify the PIN or PIN source (not yet implemented in the
referenced bug), which might be a hint for the tool to perform Login
before trying to list objects.

But over the recent years, I did not see almost any cards that would
have this issue so I don't think this is very important now.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

Jakub Jelen  changed:

   What|Removed |Added

 CC||jje...@redhat.com

--- Comment #1 from Jakub Jelen  ---
The second issue is probably resolved at this moment (or at least I can
not reproduce it with current OpenSSH and OpenSC) and the bug #2635
talks about different behavior. Can you try with current OpenSSH, if it
is still an issue for you? Can you provide the debug logs from OpenSSH?

The first thing would be nice to have. Passing the pkcs11-provider from
ssh process to ssh-agent should not be too complicated to write. But
there might be some more logic required to figure out the card removal
from the agent, once the card is removed from reader and the login
state becomes invalid.

I will try to have a look into that in coming weeks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2635] Unable to use SSH Agent and user level PKCS11Provider configuration directive

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2635

Jakub Jelen  changed:

   What|Removed |Added

 CC||jje...@redhat.com

--- Comment #8 from Jakub Jelen  ---
Created attachment 3126
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3126=edit
Tail of openSC debug log

I believe this is not a problem of OpenSSH, but of the PKCS#11 module,
which is not correctly handling the concurrent access from two separate
processes (ssh and ssh-pkcs11-helper of ssh-agent).

I can reproduce the same issue with latest OpenSC and OpenSSH. Running
the current OpenSC in debug mode, shows similar errors as in the
attachment, while running the ssh-agent in debug mode and adding the
latest OpenSC pkcs11 module:

OPENSC_DEBUG=9 ssh-agent -d

I just tested the same case with the patch proposed in OpenSC upstream
PR [1] and it seems to resolving the problem.

This is also related to the recent change in OpenSC upstream, which is
setting disconnect_action=leave by default (previously, it was "reset",
which was also breaking long-running sessions such as ssh-agent).

You can try if this will help you to resolve your problems. If not,
please, provide also the debug logs from OpenSC as shown above.

[1] https://github.com/OpenSC/OpenSC/pull/1256
[2] https://github.com/OpenSC/OpenSC/pull/1242

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2652] PKCS11 login skipped if login required and no pin set

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #10 from Jakub Jelen  ---
Thank you for testing the patch. But your changes again change the
semantics and issue the pinpad login even if the PIN is NULL, which is
not what you generally want.

Or is your card requiring the login also for the listing of public
keys? What do you get if you try to list the public objects from
pkcs11-tool?

pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs