search for: baushk

On Fri 2015-06-12 01:52:54 -0400, Mark D. Baushke wrote: > I have communicated with Allen Roginsky on this topic and I have been given permission to post his response. > > In this message below, the 'vendor' was Darren Tucker's generated prime > that used a generator value of 5. > > -- Mark > > From: "Rog...

Darren Tucker <dtucker at zip.com.au> writes: > On Thu, Oct 29, 2015 at 12:32 PM, Mark D. Baushke <mdb at juniper.net> wrote: > > Diff updated with suggested changes (also, making the timestamp format > > ISO8601 compliant). > > > > Hmmm... full IOS8601 compliance would include the timzeone so the format > > I don't have a copy of the ISO8601 text, but...

On 09/24/2017 12:21 AM, Mark D. Baushke wrote: > I suggest you upgrade to a more recent edition of the OpenSSH software. > The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released > very soon. This problem is in v7.5 and v7.6. See dh.c:436. > OpenSSH 6.6 was first released on October 6, 2014. I brought up...

On 25 September 2017 at 02:32, Mark D. Baushke <mdb at juniper.net> wrote: > [+CC Loganaden Velvindron <logan at hackers.mu>] primary author of > the RFC 4419 refresh draft. https://datatracker.ietf.org/doc/draft-lvelvindron-curdle-dh-group-exchange/ ? Tangent: has any consideration been given to increasing the maximum allo...

https://bugzilla.mindrot.org/show_bug.cgi?id=2464 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> --- Created attachment 2741 --> https://bugzilla.mindrot.org/attachment.cgi?id=2741&action=edit Changes as suggested. Diff updated with suggested changes (also, making the timestamp format ISO8601 compliant). That said, what's the use case for this? The timestamps are

Can we disable diffie-hellman-group14-sha1 too? On Thu, Feb 14, 2019 at 10:23 PM Mark D. Baushke <mdb at juniper.net> wrote: > > Hi John, > > The short answer is YES. > > Jon DeVree <nuxi at vault24.org> writes: > > > I ask because the removal of diffie-hellman-group-exchange-sha1 happened > > accidently in 7.8 due to a mistake in a change to readc...

Also, a lot of measurement/research on deployment of OpenSSH rely on version advertising for their statistics. It's going to be harder to know impact of deprecation of certain legacy features without statistics. I also agree with Mark here. On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb at juniper.net> wrote: > Nagesh writes: > > > Cyber security team has recommended to disable the OpenSSH software > > version advertising when the connection has been established. > > With respect, your cyber security team are foolish if they think that > obs...

On 02/20/2019 07:51 AM, Mark D. Baushke wrote: > There are too just many cases where both OpenSSH interoperating with > itself as well as other SSH implementations have needed this version > number to properly deal with bugs in the code via negitations. FWIW, and without dismissing the possibility of fingerprinting a server in...

On 09/22/2017 06:10 PM, Mark D. Baushke wrote: > I suppose you want to be more paranoid: > > DH * > dh_new_group_fallback(int max) > { > debug3("%s: requested max size %d", __func__, max); > if (max <= 2048) { > debug3("using 2k bit group 14"); &g...

Hi, I notice here: https://www.openssh.com/releasenotes.html That the versions always have a <number> and a <number>p1. Does the p1 indicate a patch? So does it mean that <number> and <number>p1 are two different versions? It doesn?t describe the differences between the two in case they are different versions. I would appreciate some clarification. Thanks, Roee.

...h Assignee: dtucker at zip.com.au Reporter: dtucker at zip.com.au Blocks: 2451 The IETF ssh working group has proposed adding MODP groups 15 and 16 with SHA256 and deprecating group14-sha1 (we're already doing the latter). https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/ Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug.

Hi Damien, Damien Miller <djm at mindrot.org> writes: > Thanks, but I don't think we're going to merge this one because I'm > somewhat worried that some systems we currently build on do not support > the -n syntax. Conversely, AFAIK everything* supports -number. Michael Forney said that he was trying to run on a system that did NOT support head -number and tail

On Wed, May 27, 2015 at 05:08:25PM -0400, Daniel Kahn Gillmor wrote: > On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote: > > Hi Folks, > > > > The generator value of 5 does not lead to a q-ordered subgroup which > > is needed to pass tests in > > > > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf > > I pulled revision 2 of this...

https://bugzilla.mindrot.org/show_bug.cgi?id=2971 Bug ID: 2971 Summary: Prevent OpenSSH from advertising its version number Product: Portable OpenSSH Version: 7.6p1 Hardware: All OS: Linux Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=2971 Bug ID: 2971 Summary: Prevent OpenSSH from advertising its version number Product: Portable OpenSSH Version: 7.6p1 Hardware: All OS: Linux Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at

Greetings, Given the weakness with Diffie-Hellman modp groups less than 2048, is it time to bump the suggested 1024 bit minimum value from the RFC 4419 to a more current 2048 value for OpenSSH 7.0? If so, should this be just a compile-time change, or should there be a new client and server runtime option? Thanks, -- Mark

On 09/22/2017 03:22 PM, Daniel Kahn Gillmor wrote: > On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote: >> I gotta say... having a fallback mechanism here seems pretty >> strange. The entire point of the group exchange is to use a dynamic >> group and not a static one. > > fwiw, i think dynamic groups for DHE key exchange is intrinsically > problematic

...emote_port() and friends for sshd -i; Holger.Trapp at Informatik.TU-Chemnitz.DE - [mpaux.c] make code simpler. no need for memcpy. niels@ ok - [pty.c] namebuflen not sizeof namebuflen; bnd at ep-ag.com via djm at mindrot.org fix proto; markus - [ssh.1] typo; mark.baushke at solipsa.com - [channels.c ssh.c ssh.h sshd.c] type conflict for 'extern Type *options' in channels.c; dot at dotat.at - [sshconnect.c] move checking of hostkey into own function. - [version.h] OpenSSH-1.2.1 - Clean up broken includes in pty.c - Some older syste...

Greetings, While attempting to build openssh for Solaris 2.6, I ran into a minor problem that should probably be corrected in the next release of openssh. The file pty.c does not #include <stropts.h> to define I_PUSH even though I_PUSH is used when HAVE_DEV_PTMX is defined. Platform: SunOS test01 5.6 Generic_105181-16 sun4u sparc SUNW,Ultra-60 Using: zlib 1.1.3

I needed to manually add a '#define HAVE_BOGUS_SYS_QUEUE_H 1' to the config.h file to get OpenSSH 3.1p1 to properly build under Solaris 2.6. Without it, the system <sys/queue.h> is included rather than using the openbsd-compat/fake-queue.h and the various TAILQ_* macros are not defined. I suspect that the configure.ac file needs to be updated to add the lines: if test