search for: a2o

Displaying 15 results from an estimated 15 matches for "a2o".

Did you mean: a2
2015 Aug 30
2
Disabling host key checking on LAN
On Sun, Aug 30, 2015 at 6:57 AM, Bostjan Skufca <bostjan at a2o.si> wrote: > Nico, > > those were my thoughts, exacly, except that I was thinking about using "dig > +short HOST | ..." which has the cleanest output of all. Excellent point. I like it! It can get a bit confusing with round-robin DNS, which can give multiple responses. &g...
2015 Jul 22
2
Keyboard Interactive Attack?
You need to disable ?ChallengeResponse? (aka keyboard-interactive) authentication, not password authentication, to protect against this attack. On Jul 22, 2015, at 1:56 PM, Bostjan Skufca <bostjan at a2o.si> wrote: > > And to answer your question about what to do, you have three options: > - disable access to ssh with a firewall > - disable password authentication > - install and enable IDS to mitigate brute forcing > > b. > > > On 22 July 2015 at 22:54, Bostjan...
2015 Aug 26
5
Disabling host key checking on LAN
If I want to specify for LAN addresses that I don't want to deal with host keys, how do I do that? Understanding the risks, knowing almost everyone will say not to do this - it's a horrible idea, but deciding I want to do it anyway. Tired of having to remove entries from known_hosts with the multiple VM's I have that often change fingerprints, and am willing to live with the risks.
2015 Aug 28
2
Disabling host key checking on LAN
On Fri, Aug 28, 2015 at 8:48 AM, Bostjan Skufca <bostjan at a2o.si> wrote: > On 27 August 2015 at 05:01, Damien Miller <djm at mindrot.org> wrote: >> Yeah, it's unfortunately quite difficult to implement address matching >> in ~/.ssh/config because of the interplay of Host matching, Hostname >> directives, hostname canonicalisa...
2015 Aug 27
3
Disabling host key checking on LAN
Perfect, thanks. This winds up working for me (as far as I've tested so far.) Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'" StrictHostKeyChecking no UserKnownHostsFile none On Wed, Aug 26, 2015 at 11:47 PM, Bostjan Skufca <bostjan at a2o.si> wrote: > (+cc list) > > You could use something in the following manner: > > Match originalhost * exec "/check/if/this/hostname/is/on/lan.sh" > ...(lan-specific opts)... > > But this one is a bit tricky to get right, as order of entries begins >...
2015 Jul 22
2
Keyboard Interactive Attack?
Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins,
2016 Apr 09
5
Slow reading of large dovecot-uidlist files
Hi there, (context: I was optimizing Roundcube mailbox list server response, and in that 300-400ms response time, around 170ms is spent on single fgets() call which is waiting IMAP repsonse to "SELECT MyMailbox" command) I straced dovecot and of the whole request/response process, around 30ms is spent for everything else, and overwhelming majority of time (150-170ms) is spent for
2015 Aug 27
2
Disabling host key checking on LAN
On Thu, 27 Aug 2015, Bostjan Skufca wrote: > Are you connecting by specifying "ssh HOSTNAME" instead of "ssh IP.IP.IP.IP"? > > If this is the case, then "Host 192.168.*.*" line never matches when > you think it should. > > From ssh_config manpage: > "The host is the hostname argument given on the command line (i.e. the > name is not
2011 Aug 29
1
Auth forwarding socket for single auth
Hi all, authentication forwarding depends much on the environment it is used in, but generally on shared hosts it is considered insecure, as this documentation and common sense tell us: http://unixwiz.net/techtips/ssh-agent-forwarding.html Anyway, I have an auth forwarding security enhancement proposal. I hope I am not duplicating someone else's words/thoughts, please notify me if this is
2015 Aug 29
2
Disabling host key checking on LAN
On Fri, Aug 28, 2015 at 11:51 PM, Walter Carlson <wlcrls47 at gmail.com> wrote: > On Thu, Aug 27, 2015 at 12:26 AM, Walter Carlson <wlcrls47 at gmail.com> wrote: > >> Perfect, thanks. This winds up working for me (as far as I've tested so >> far.) >> >> Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'" >>
2003 May 22
2
libpri and zap lib
Hello all, I have some questions about the libpri and zap lib. I've sent mail to Mark for help. Also I wonder whether anyone else would be interested and helpful in them. I'm going to migrate a program to Wildcard E400P card. Our original program is based on C API similar to the functions provided in libpri.h and zap.h, so I want to use the E400P card in the following way: 1. install and
2015 Jul 22
7
Keyboard Interactive Attack?
I read an article today about keyboard interactive auth allowing bruteforcing. I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
2010 Feb 07
2
Client link utilization
Hello everybody! This is probably going to be a classic question but I cannot find a decent answer on net. I have samba server set up and the following things work flawlessly: - iperf shows 92% link utilization - FTP/SCP/HTTP transfers work in 10MB/s range. However, when I mount samba share with linux client (mount.cifs) the link utilization cannot bypass cca 33%. Transfer speeds constantly
2013 Apr 04
2
AuthorizedKeysCommand question
Hi, is there a particular reason why this feature is "user" based and not "user-pubkey" based? What I mean is that it works for installation with small number of pubkeys per user. But imagine i.e. a GitHub scale - all users logging in as user "git". On each auth request all the keys from database would be fetched and feeded to OpenSSH. Now I am only asking this out
2009 Dec 29
1
Static build segfaults on x86_64
Hello everyone, I would like to ask you for advice on how to approach (or solve) this particular problem. I use Slackware Linux and compile Openssh from source. I prefer to compile it statically so it doesn't get messed up if I update openssl libraries. Up until now this approach was working OK for me. Lately I have been challenged with Slackware64 installations and I have come across a