> Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported > directly to openssh@xxxxxxxxxxx. I've got one weird case. doing pubkey auth with certificates, if I have both the key and cert loaded in my agent, I see: $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519) 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT) $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host pmoody@host:~$ but if I only have the certificate, I see: $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT) $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host warning: agent returned different signature type ssh-ed25519 (expected ssh-ed25519-cert-v01@xxxxxxxxxxx) pmoody@host:~$ it still works, but it prints the error about different signature type. the ssh-agent from the snapshot is listening on /tmp/ssh.sock2 this is from high seirra: $ sw_vers ProductName: Mac OS X ProductVersion: 10.13.3 BuildVersion: 17D47 built like: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no S/KEY support: no MD5 password support: no libedit support: no libldns support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: darwin Host: x86_64-apple-darwin17.4.0 Compiler: gcc Compiler flags: -g -O2 -pipe -Qunused-arguments -Wunknown-warning-option -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: -I/usr/local/opt/openssl/include Linker flags: -L/usr/local/opt/openssl/lib -fstack-protector-strong -pie Libraries: -lcrypto -lz -lresolv +for sshd: -lsandbox with: $ /usr/local/opt/openssl/bin/openssl version OpenSSL 1.0.2n 7 Dec 2017 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev