[Bug 1233] "Tunnel" should pass device-name to "LocalCommand"
https://bugzilla.mindrot.org/show_bug.cgi?id=1233 Damien Millerchanged: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Bug 2782 depends on bug 1233, which changed state. Bug 1233 Summary: "Tunnel" should pass device-name to "LocalCommand" https://bugzilla.mindrot.org/show_bug.cgi?id=1233 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Damien Millerchanged: What|Removed |Added Depends on||2786 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2786 [Bug 2786] New OpenSSH fails to parse public keys with bogus whitespace -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2786] New OpenSSH fails to parse public keys with bogus whitespace
https://bugzilla.mindrot.org/show_bug.cgi?id=2786 Damien Millerchanged: What|Removed |Added Blocks||2782 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2786] New OpenSSH fails to parse public keys with bogus whitespace
https://bugzilla.mindrot.org/show_bug.cgi?id=2786 Damien Millerchanged: What|Removed |Added CC||dtuc...@dtucker.net Attachment #3128|ok? |ok?(dtuc...@dtucker.net) Flags|| -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Bug 2782 depends on bug 2821, which changed state. Bug 2821 Summary: ssh-keyscan cannot generate SSHFP fingerprints https://bugzilla.mindrot.org/show_bug.cgi?id=2821 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints
https://bugzilla.mindrot.org/show_bug.cgi?id=2821 Damien Millerchanged: What|Removed |Added Resolution|--- |FIXED Status|ASSIGNED|RESOLVED --- Comment #2 from Damien Miller --- That's applied and will be in OpenSSH 7.7 - thanks! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints
https://bugzilla.mindrot.org/show_bug.cgi?id=2821 Darren Tuckerchanged: What|Removed |Added Attachment #3127|ok?(dtuc...@dtucker.net)|ok+ Flags|| -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2785] Add -P ssh option as alias for -p to set the port
https://bugzilla.mindrot.org/show_bug.cgi?id=2785 Damien Millerchanged: What|Removed |Added Status|NEW |RESOLVED CC||d...@mindrot.org Resolution|--- |WONTFIX -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2784] Add native support for routing domains / VRF
https://bugzilla.mindrot.org/show_bug.cgi?id=2784 --- Comment #37 from Damien Miller--- Hi Luca, IMO those client-side patches are a bit too intrusive given that "ip vrf exec" will make them unnecessary in the future once cgroups v2 is stable and full-featured. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Bug 2782 depends on bug 2823, which changed state. Bug 2823 Summary: putty-transfer regression test broken https://bugzilla.mindrot.org/show_bug.cgi?id=2823 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2823] putty-transfer regression test broken
https://bugzilla.mindrot.org/show_bug.cgi?id=2823 Damien Millerchanged: What|Removed |Added Blocks||2782 Resolution|--- |FIXED CC||d...@mindrot.org Status|NEW |RESOLVED --- Comment #1 from Damien Miller --- Committed - thanks. commit 73282b61187883a2b2bb48e087fdda1d751d6059 Author: d...@openbsd.org Date: Fri Feb 23 03:03:00 2018 + upstream: unbreak interop test after SSHv1 purge; patch from Colin Watson via bz#2823 OpenBSD-Regress-ID: 807d30a597756ed6612bdf46dfebca74f49cb31a Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Damien Millerchanged: What|Removed |Added Depends on||2823 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2823 [Bug 2823] putty-transfer regression test broken -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints
https://bugzilla.mindrot.org/show_bug.cgi?id=2821 Damien Millerchanged: What|Removed |Added Blocks||2782 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Damien Millerchanged: What|Removed |Added Depends on||2821 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2821 [Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2821] ssh-keyscan cannot generate SSHFP fingerprints
https://bugzilla.mindrot.org/show_bug.cgi?id=2821 Damien Millerchanged: What|Removed |Added CC||d...@mindrot.org, ||dtuc...@dtucker.net Status|NEW |ASSIGNED Assignee|unassigned-b...@mindrot.org |d...@mindrot.org Attachment #3127||ok?(dtuc...@dtucker.net) Flags|| --- Comment #1 from Damien Miller --- Created attachment 3127 --> https://bugzilla.mindrot.org/attachment.cgi?id=3127=edit Add ssh-keyscan -D flag for output in SSHFP format Good idea, this is trivial to implement. Here's a patch. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Damien Millerchanged: What|Removed |Added Depends on||2814 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2814 [Bug 2814] Connection error should report failure instead of success -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Bug 2782 depends on bug 2814, which changed state. Bug 2814 Summary: Connection error should report failure instead of success https://bugzilla.mindrot.org/show_bug.cgi?id=2814 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2814] Connection error should report failure instead of success
https://bugzilla.mindrot.org/show_bug.cgi?id=2814 Damien Millerchanged: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED Blocks||2782 --- Comment #2 from Damien Miller --- oops, I committed this a while back: commit 7c77991f5de5d8475cbeb7cbb06d0c7d1611d7bb Author: d...@openbsd.org Date: Tue Jan 23 05:17:04 2018 + upstream commit try harder to preserve errno during ssh_connect_direct() to make the final error message possibly accurate; bz#2814, ok dtucker@ OpenBSD-Commit-ID: 57de882cb47381c319b04499fef845dd0c2b46ca Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2782] Tracking bug for OpenSSH 7.7 release
https://bugzilla.mindrot.org/show_bug.cgi?id=2782 Bug 2782 depends on bug 2820, which changed state. Bug 2820 Summary: Add support for ssh client to bind to an interface https://bugzilla.mindrot.org/show_bug.cgi?id=2820 What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 Damien Millerchanged: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #6 from Damien Miller --- This has been applied and will be in OpenSSH 7.7 - thanks! commit ac2e3026bbee1367e4cda34765d1106099be3287 (HEAD -> master, origin/master, origin/HEAD) Author: d...@openbsd.org Date: Fri Feb 23 02:34:33 2018 + upstream: Add BindInterface ssh_config directive and -B command-line argument to ssh(1) that directs it to bind its outgoing connection to the address of the specified network interface. BindInterface prefers to use addresses that aren't loopback or link- local, but will fall back to those if no other addresses of the required family are available on that interface. Based on patch by Mike Manning in bz#2820, ok dtucker@ OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2652] PKCS11 login skipped if login required and no pin set
https://bugzilla.mindrot.org/show_bug.cgi?id=2652 --- Comment #11 from Daniel Kucera--- (In reply to Jakub Jelen from comment #10) > Thank you for testing the patch. But your changes again change the > semantics and issue the pinpad login even if the PIN is NULL, which > is not what you generally want. But if CKF_LOGIN_REQUIRED is set why would one want to skip login? > > Or is your card requiring the login also for the listing of public > keys? What do you get if you try to list the public objects from > pkcs11-tool? > > pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so My card requires login for absolutely everything $ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -O Using slot 0 with a present token (0x1) $ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l -O Using slot 0 with a present token (0x1) Private Key Object; RSA label: 571cd7f3-0935-4218-b7cf-4b43af29d1bc ID: ... Usage: decrypt, sign Access: always authenticate Certificate Object; type = X.509 cert label: 571cd7f3-0935-4218-b7cf-4b43af29d1bc ID: ... -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2784] Add native support for routing domains / VRF
https://bugzilla.mindrot.org/show_bug.cgi?id=2784 --- Comment #36 from Luca Boccassi--- Hi Damien - did you have any chance to have a look at the client patches? Thanks! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2075] [PATCH] Enable key pair generation on a PCKS#11 device
https://bugzilla.mindrot.org/show_bug.cgi?id=2075 Jakub Jelenchanged: What|Removed |Added CC||jje...@redhat.com --- Comment #2 from Jakub Jelen --- Using ssh-keygen to generate keys on PKCS#11 device is interesting idea, that I would clearly welcome to avoid using many other tools to generate keys on smart cards. But I don't think referring to this key using external file is a way to go. Can it be done without it? It would simplify the patch by a great deal. Also I don't think that the generated key should have the CKA_DECRYPT attribute set, if it should be used for SSH. Otherwise, the key-generation changes look reasonable. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2430] ssh-keygen should allow to login before reading public key from smart card
https://bugzilla.mindrot.org/show_bug.cgi?id=2430 --- Comment #4 from Jakub Jelen--- This issue could be resolved by the PKCS#11 URIs (bug #2817), which allow the specify the PIN or PIN source (not yet implemented in the referenced bug), which might be a hint for the tool to perform Login before trying to list objects. But over the recent years, I did not see almost any cards that would have this issue so I don't think this is very important now. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Jakub Jelenchanged: What|Removed |Added CC||jje...@redhat.com --- Comment #1 from Jakub Jelen --- The second issue is probably resolved at this moment (or at least I can not reproduce it with current OpenSSH and OpenSC) and the bug #2635 talks about different behavior. Can you try with current OpenSSH, if it is still an issue for you? Can you provide the debug logs from OpenSSH? The first thing would be nice to have. Passing the pkcs11-provider from ssh process to ssh-agent should not be too complicated to write. But there might be some more logic required to figure out the card removal from the agent, once the card is removed from reader and the login state becomes invalid. I will try to have a look into that in coming weeks. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2635] Unable to use SSH Agent and user level PKCS11Provider configuration directive
https://bugzilla.mindrot.org/show_bug.cgi?id=2635 Jakub Jelenchanged: What|Removed |Added CC||jje...@redhat.com --- Comment #8 from Jakub Jelen --- Created attachment 3126 --> https://bugzilla.mindrot.org/attachment.cgi?id=3126=edit Tail of openSC debug log I believe this is not a problem of OpenSSH, but of the PKCS#11 module, which is not correctly handling the concurrent access from two separate processes (ssh and ssh-pkcs11-helper of ssh-agent). I can reproduce the same issue with latest OpenSC and OpenSSH. Running the current OpenSC in debug mode, shows similar errors as in the attachment, while running the ssh-agent in debug mode and adding the latest OpenSC pkcs11 module: OPENSC_DEBUG=9 ssh-agent -d I just tested the same case with the patch proposed in OpenSC upstream PR [1] and it seems to resolving the problem. This is also related to the recent change in OpenSC upstream, which is setting disconnect_action=leave by default (previously, it was "reset", which was also breaking long-running sessions such as ssh-agent). You can try if this will help you to resolve your problems. If not, please, provide also the debug logs from OpenSC as shown above. [1] https://github.com/OpenSC/OpenSC/pull/1256 [2] https://github.com/OpenSC/OpenSC/pull/1242 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2652] PKCS11 login skipped if login required and no pin set
https://bugzilla.mindrot.org/show_bug.cgi?id=2652 --- Comment #10 from Jakub Jelen--- Thank you for testing the patch. But your changes again change the semantics and issue the pinpad login even if the PIN is NULL, which is not what you generally want. Or is your card requiring the login also for the listing of public keys? What do you get if you try to list the public objects from pkcs11-tool? pkcs11-tool -O /usr/lib/eidklient/libpkcs11_sig_x64.so -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs