search for: eckenfels

Hello, I am a happy CentOS user who has noticed some typos on the wiki (I sent one to Akemi yesterday). I would like to fix these directly, rather than sending email to someone else for each change. Is this possible? FWIW, I'm a committer on the ASF's httpd-docs project, although I am not currently active there. My CentOS wiki username is ChrisPepper. Thanks, Chris Pepper

...ws, that those constructs are just very fragile. For reference, there has been a similar request over on Ars Technica. M. Sc. Fabian B?umer Chair for Network and Data Security Ruhr University Bochum Universit?tsstr. 150, Building MC 4/145 44780 Bochum Germany Am 20.12.2023 um 11:57 schrieb Bernd Eckenfels: > Hello, > > > in addition to my last thread about a new config option to make strict-kex mandatory, > I also wonder if a new mechanism for ciphers/macs can be introduced and is reliable > by simple both sides using it. > > So there could be a Chacha20-Poly1305v2 at openssh...

...-kex mode as a server config as well as a per-host config in the client config. (obcredits: jssh has this setting). Not sure if you also have precedence for warning on (console initiated) connections which have no strict-kex, but that would be an additional feature. Gruss Bernd -- https://bernd.eckenfels.net

BTW based on your output it looks like the DEFAULT policy is just fine, If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert https://access.redhat.com/security/cve/cve-2023-48795 cipher at SSH = -CHACHA20-POLY1305 ssh_etm = 0 by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy

...m, okay, I just realized the protocol has a full specification at > https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent. Would it be > possible to get that protocol added to the list of manuals which typically > get installed with the OpenSSH package? Gru? Bernd ? https://bernd.eckenfels.net

BTW not for your usecase with the decryption, but if people want to dynamically create/provision short lived keys, they could use ?match host * exec gen-key.sh %s? config to run a program before each connection. However it can?t stdout the key material, but what it could do is update a temporary Idendity file or push it short-lived with ssh-add to the running (standard) agent. openssh at tr.id.au

[This email is either empty or too large to be displayed at this time]

Hello, I noticed some formatting issues and had some content improvements, so I would like to get write access to the Wiki. I signed up as BerndEckenfels there. One thing I was looking at is the not working "'''" marker in http://wiki.centos.org/HowTos/JavaDevelopmentKit Greetings Bernd

On Mon, Mar 11, 2024, at 6:05 PM, Bernd Eckenfels wrote: > BTW not for your usecase with the decryption, but if people want to > dynamically create/provision short lived > keys, they could use ?match host * exec gen-key.sh %s? config to run a > program before each connection. > However it can?t stdout the key material, but what it...

Hello, I was re-generating the moduli for SSH, and during that process I noticed that, when running the following command: ssh-keygen -M screen -O prime-tests=600 -O generator=3 -f moduli-2048-01.candidates moduli-2048-01c It does not produce any errors, only the following: ebug2: ???1467763: (4) Sophie-Germain debug2: ???1467763: generator 0 != 3 debug2: ???1467764: (4) Sophie-Germain

Good day everyone, I am currently testing integrating kerberos into our MMR openldap cluster and things have gone well so far. I can ssh to my test clients using my kerberos credentials then ssh using GSSAPI to other hosts as defined in my principals using my ticket, achieving SSO. *I wanted to see if I could make the cache file user-specific, instead of the default location

G'day, In our infrastructure we're trying to be more diligent about switching to sk keys (and/or certs backed by sk keys.) However, there are some services like Gerrit and Jenkins which are written in java and I guess they will never support sk keys, or at least, it seems like it won't happen any time soon. For such services, typical practices at the moment include putting

Hello, in addition to my last thread about a new config option to make strict-kex mandatory, I also wonder if a new mechanism for ciphers/macs can be introduced and is reliable by simple both sides using it. So there could be a Chacha20-Poly1305v2 at openssh.com which uses AD data to chain the messages together, so it will be resistant against terrapin even without the strict-kex. Consequently

I have a 2 node cluster of HP DL380G4s. These machines are attached via scsi to an external HP disk enclosure. They run 32bit RH AS 4.0 and OCFS 1.2.4, the latest release. They were upgraded from 1.2.3 only a few days after 1.2.4 was released. I had reported on the mailing list that my developers were happy, and things seemed faster. However, twice in that time, the cluster has gone down due