Implications are... you won't be possible to use new protocols introduced by newer OpenSSH:
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Nov 25 2022
Nov 24 2022
Thanks. Adding 'PubkeyAuthentication unbound' to my ~/.ssh/config seems to workaround it for me on openssh-9.1p1-3 (arch). I don't quite follow what the implications of that setting are though.
In my cases (tested with 9.1), here are the length of data to be signed by ssh-agent (emulation by gpg-agent).
- 164 bytes: Both features disabled by: ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com -o PubkeyAuthentication=unbound
- 192 bytes: Unbound only by: ssh -o PubkeyAuthentication=unbound
- 298 bytes: No Post Quantum only by: ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com
- 330 bytes: Both features enabled (no options)
Nov 22 2022
I tested with openssh 9.1. When I add -o PubkeyAuthentication=unbound, I can make the length of data smaller.
Nov 9 2022
In T5931#165009, @alexk wrote:A workaround you can add the following line to ~/.ssh/config or /etc/ssh/ssh_config:
KexAlgorithms -sntrup761x25519-sha512@openssh.comFor me ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com ... does work as well.
A workaround you can add the following line to ~/.ssh/config or /etc/ssh/ssh_config:
Oct 28 2022
Will go into 2.3.9 and gpg4win 4.0.5
Oct 26 2022
Oct 14 2022
Pushed to master.
Sep 22 2022
Sep 20 2022
Testing gpg-auth : There are two different use cases
- test with xsecurelock for screen lock
- test with pam-autoproto for login / gdm / etc.
Here are pam_authproto.c with Makefile, so that you can compile it with libpam:
Sep 19 2022
I hacked configure.ac of gnupg to force it build with libgpg-error 1.45, and OpenSSH works with the created pipe. Maybe the libgpg-error fix is only necessary in some certain circumstances?
Sep 14 2022
works now
Sep 9 2022
Here is a PAM module, which interact a spawned process using authproto protocol of xsecurelock.
Sep 7 2022
It's not yet pushed, because it requires new release of libgpg-error (for T6112: libgpg-error,w32: bidirectional Pipe support for estream).
Sep 6 2022
I was looking for this when writing the update NEWS for the latest release and noticed that this has not been pushed yet. I really think that it would be nice to have that. Especially for Smartcard use cases.
Sep 2 2022
Thanks for testing. I guess I will do a new release.
Sep 1 2022
Applies cleanly and fixes the crash. 👍
For master (2.3) the fix is not needed due to another way the code works, but having a more robust function is always good.
You may try the above commit - if should apply cleanly to 2.2.37.
You are right. This due to your old binary private key (stubs). Otherwise you would at least have one item ("Key:"). I need to see what do do about the release. Maybe a tool to update the key files would we a good workaround.
Aug 26 2022
Fully done in my opinion.
Aug 24 2022
Isn't this (mostly?) done? See T5517: Improvements for symmetric encryption.
Aug 23 2022
Aug 19 2022
Probably, PIPE_REJECT_REMOTE_CLIENTS mode and lpSecurityAttributes=NULL is OK.
Aug 11 2022
While playing with your scripts I figured that it would be useful to enhance the KEYINFO command. With
rG989eae648c8f3d2196517e8fc9cce247b21f9629 we could now
Aug 4 2022
Please reopen my issue. This is a serious issue that we encounter and do not have any explication.
Hi!
No, it's not waiting for the password. This was a 2 times error happening on our server.
We already provided the password but it was hung. We entered different things but it won't make anything.
I can tell you it doesn't wait for anything because we tested the same command on 2 different machines. On one machine it was hung, on another it worked.
gpg was waiting for the passphrase for the signing key to be provided via stdin.
Aug 1 2022
Jul 29 2022
Jul 28 2022
Probably, PIPE_REJECT_REMOTE_CLIENTS mode and lpSecurityAttributes=NULL is OK.
Here is the parser output:
$ python3 sd.py --type=pipe "D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)" D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU) Discretionary ACL: P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU) Flags: P: SE_DACL_PROTECTED (Blocks inheritance of parent's ACEs)
I think that the last argument of CreateNamedPipeA can limit the access to the named pipe.
Here is a patch to implement the functionality with --enable-win32-openssh-support.
Jul 26 2022
Jul 18 2022
It's in 2.3.7 and 2.2.36.
Jul 12 2022
It's in 2.3.7.
Changed the tags and the title.
It's in 2.3.7.
It's in 2.3.7.
It's in 2.3.7.
It's in 2.3.7.
Jul 7 2022
Jun 28 2022
We removed assuming "OPENPGP.3" means for ssh.
Having "Use-for-ssh" flag now, experience shows that including OpenPGP.3 keys by default is not convenient.
Jun 23 2022
ACK. P[ease add it also to 2.2.
Even if it is only a single case (of old version of Wine), I think that it is worth to add es_fflush when writing to file.
What about rejected changes to "Key:"?
Jun 22 2022
What about rejected changes to "Key:"? Other this command would make it too easy to mess up the actual private key.
Jun 21 2022
Looking illumos-gate, Solaris variants have no issues.
Wine 5.0.3 (on Debian bullseye) fails.
Wine 6.0.3 Debian testing does no failure.
I created minimized test:
Jun 20 2022
iirc, we use ftruncate for ages now. The problem with the name ftruncate is that it looks to similar to the stdio functions. But sure, things should be flushed first.
Jun 9 2022
Jun 8 2022
Now, it also supports a reader with pinpad.
Jun 6 2022
Jun 2 2022
Jun 1 2022
May 27 2022
Default is "yes". When Prompt: no is specified, it doesn't ask but fails.
The behavior has been changed by T5996, to ask card insertion for the consistency of the semantics of configuration.
May 26 2022
With the change for T5996 applied, the semantics is clear. "Use-for-ssh" flag is a key not for "OpenPGP.3", but other keys (not only OpenPGP.[12], but also for normal keys.)