search for: davidnewall

On 03/15/2019 12:49 AM, Jeremy Lin wrote: > [...] connecting to hosts where the host key > changes frequently. I realize this is a fairly niche use case [...] Doesn't StrictHostKeyChecking=no do what is wanted?

On Mon, 4 Nov 2019 at 14:07, David Newall <openssh at davidnewall.com> wrote: > [about scp] That's just awful, and I should have > thought it was not at all necessary. Am I missing something? > If you're saying that the scp protocol is an unfixable mess then the openssh team has been agreeing[0] with you for at least a decade and a half. W...

On 12/10/17 12:54, Clark Wang wrote: > How did you hit the problem? "ssh host echo hello | cat" works fine > for me. That's because ssh exited, not because of EOF. Consider the following: ?? ssh localhost 'exec cat > /dev/null' | { read l; echo ${l:-EOF}; } One should see "EOF" immediately (for values of immediate that include startup latency), but

On 6 February 2018 at 20:09, David Newall <openssh at davidnewall.com> wrote: > Do we need to do anything? It's not clear to me how SSH is vulnerable to > Spectre -- that is, how SSH can be used to execute a Spectre attack? I am more concerned with it being the target of a Spectre style attack. There's some long lived private data (host keys i...

On Wed, Jul 11, 2018 at 6:58 PM, David Newall <openssh at davidnewall.com> wrote: > I remember, when Sun first released NFS they used UDP for transport because > "performance", and then, not so very long later, had to implement TCP > transport because "reliability". network reliability has changed quite a bit since the 80's. see...

On 31/12/17 16:44, Peter Moody wrote: > On Sat, Dec 30, 2017 at 9:47 PM, David Newall<openssh at davidnewall.com> wrote: >> Of course it's the client's fault. The client worked, was changed, and thus >> stopped working. > don't upgrade your client. problem solved. you're at fault for not > pinning your dependencies when you have hard dependencies. Really?? A fractur...

On 31/12/17 13:52, Peter Moody wrote: >> By making it impossible for people to use SSH > nb, it's not impossible to use opessh. it might not be possible to use > a*modern* openssh client to connect to an old, unpatched unmaintained > (by the vendor) sshd. i'd argue that's not the client's fault. Of course it's the client's fault.? The client worked, was

On Sun, Dec 24, 2017 at 9:54 PM, David Newall <openssh at davidnewall.com> wrote: > On 25/12/17 00:11, John Devitofranceschi wrote: >> >> Besides ssh.com?s PrivX product, has anyone created a web service that can >> be used to issue temporary certkeys to authenticated users? >> >> Any pointers appreciated! > > > I expect t...

--- sshbuf.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sshbuf.h b/sshbuf.h index 78e32264..4b71405a 100644 --- a/sshbuf.h +++ b/sshbuf.h @@ -140,7 +140,7 @@ int sshbuf_allocate(struct sshbuf *buf, size_t len); /* * Reserve len bytes in buf. * Returns 0 on success and a pointer to the first reserved byte via the - * optional dpp parameter or a negative * SSH_ERR_*

Hi. Both GCC and clang are adding mitigations for Spectre variant 2 although neither have yet made a release and neither are on by default. After trolling through and building release candidate branches for both I believe this is what is required for the ssh programs (although all the dependent libraries will also need to be built with mitigations, and I suspect libcrypto is a more likely

On Mon, 4 Nov 2019, David Newall wrote: > On 4/11/19 3:29 am, Demi M. Obenour wrote: > > I have not been able to get scp(1) to download a file with a newline > > in its name. I know that scp(1) requires that remote filenames be > > escaped for the shell, but that leads to protocol errors. > > I see something much worse: > > $ sudo sh > # echo

Hi, I'm very interested in making SSH use UDP for large data chunks. Maybe you know FASP (https://en.wikipedia.org/wiki/Fast_and_Secure_Protocol), but that is proprietary, although the website says it's based upon open source methods. Is it possible to make openssh work with UDP for this purpose? Thanks in advance, Stef Bon

Hello all, My scripts, which read stdout from ssh, weren't seeing EOF from the remote session.? It was being sent, but lost.? I tracked it down to the following code, in ssh.c, at ssh_session2_open: ??????? if (stdin_null_flag) { ??????????????? in = open(_PATH_DEVNULL, O_RDONLY); ??????? } else { ??????????????? in = dup(STDIN_FILENO); ??????? } ??????? out = dup(STDOUT_FILENO);

On 14/10/17 07:44, Damien Miller wrote: > On Fri, 13 Oct 2017, David Newall wrote: >> On 13/10/17 16:22, Damien Miller wrote: >> > At a minimum, I think we'd have to dup2 a fd to /dev/null to >> > STDOUT_FILENO so writes to stdout (e.g. from ill-behaved >> > libraries) have somewhere to go. >> >> Would that really be useful?? Output from

Hello, I am trying to setup a file server using the SFTP protocol with OpenSSH. I am in trouble because sshd refuses to chroot to a directory that is writable by users other than the owner. I guess that this is to prevent someone else from creating a .ssh/authorized_keys file and impersonate the user. But we have configured an alternative AuthorizedKeysFile. I also understand that a chroot user

Besides ssh.com?s PrivX product, has anyone created a web service that can be used to issue temporary certkeys to authenticated users? Any pointers appreciated! jd -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2393 bytes Desc: not available URL:

On 13/10/17 16:22, Damien Miller wrote: > At a minimum, I think we'd have to dup2 a fd to /dev/null to > STDOUT_FILENO so writes to stdout (e.g. from ill-behaved > libraries) have somewhere to go. Would that really be useful?? Output from Ill-behaved libraries, written fd 1, already go to the same place.? Don't forget, dup does not create a new file, it creates a duplicate

On 02/01/18 16:33, Ben Lindstrom wrote: > And how many annoying "Do you really want to do this?" type questions > do you prompt the user and assume it is "fine"? I think zero.? I think the warning goes in the man page: ? --allow-insecure-short-key? This option allows use of keys shorter than 1024 bits, however, it is known that such keys can be broken quite

On 13/04/18 07:59, Josh Soref wrote: > Randall S. Becker <rsbecker at nexbridge.com> wrote: > >> -REGRESSTMP = "$(PWD)/regress" >> +REGRESSTMP = `pwd` >> >> ? tests interop-tests t-exec unit: regress-prep regress-binaries >> $(TARGETS) >> > It looks like the problem is that pwd is in uppercase, not so much the > distinction between

On 17/11/18 12:32 am, Raphael Medaer wrote: > Actually if you use "-o" it's also overridden. Looking at sshd > logging, it seems that the env var is overridden because of session > mechanism (aka "not ordering of parameter source"). > Thus is it a non-issue due to priority of configuration source ? Does > it mean that the priority is "env var" >