search for: jelen

...ork with ssh-agent. It does not bring any new dependency, provides unit and regress tests (while fixing agent-pkcs11 regress test). The code is on github and ready for comments/reviews (some details will need to be adjusted): https://github.com/openssh/openssh-portable/compare/master...Jakuje:jjelen-pkcs11 I will fill a bugzilla later. I would be grateful for your ideas, comments or reviews for this feature. Other useful parts of RFC, that could be implemented would be a way to provide a PIN or a PIN source for the token, other ways of providing module-path (module-name). Regards, -- Ja...

...g Makefile:198: recipe for target 't-exec' failed make[1]: *** [t-exec] Error 1 make[1]: Leaving directory '/root/openssh/regress' Makefile:568: recipe for target 'tests' failed make: *** [tests] Error 2 I will have a look into that if I will have a minute today. -- Jakub Jelen Software Engineer Security Technologies Red Hat

On Sat, 2019-04-06 at 03:20 +1100, Damien Miller wrote: > On Fri, 5 Apr 2019, Jakub Jelen wrote: > > > There is also changed semantics of the ssh-keygen when listing keys > > from PKCS#11 modules. In the past, it was not needed to enter a PIN > > for > > this, but now. > > > > At least, it is not consistent with a comment in the function > &gt...

On Fri, 12 Oct 2018, Jakub Jelen wrote: > Something like this can be used to properly initialize new OpenSSL > versions: > > @@ -70,12 +70,19 @@ ssh_compatible_openssl(long headerver, long libver) > void > ssh_OpenSSL_add_all_algorithms(void) > { > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > Op...

...(and/or) * Change scp to use sftp internally * Modify sshd to use some compatibility "scpd" to support old clients and some time later * Remove scp or replace it with a symlink [1] http://www.openssh.com/txt/release-8.0 Any ideas/comments/suggestions? Best regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.

...e to raise a concern about this patch in the developer group? Regarding the ?a script that fixes file permissions upon upload?, this is also an interesting idea. But how do I add a hook that is listening to the upload events? Thanks & Best Regards House > On Dec 18, 2017, at 06:03, Jakub Jelen <jjelen at redhat.com> wrote: > > On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote: >> Hi, >> >> I understand that if I specify `ForceCommand internal-sftp -u >> <umask>`, the permission of any files uploaded via sftp will be >> calculated by `&lt...

On Mon, 14 Nov 2016, Jakub Jelen wrote: > Thank you for the comments. I understand the upstream directions and > that the OpenSSL step is not ideal. The distros will probably have to > carry these patches until the changes will settle down a bit. AFAIK Red Hat employs at least one OpenSSL maintainer. What is their view...

https://bugzilla.mindrot.org/show_bug.cgi?id=2652 Bug ID: 2652 Summary: PKCS11 login skipped if login required and no pin set Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Smartcard Assignee:

...blic keys Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com It comes up from time to time that somebody uses private key without public key in separate file. OpenSSH is trying to be helpful to read the separate public key file initially, to prevent decrypting private keys to early, but currently it is very inconsistent. See the following step...

...olPersist Product: Portable OpenSSH Version: 6.8p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 2616 --> https://bugzilla.mindrot.org/attachment.cgi?id=2616&action=edit proposed patch +++ This bug was cloned from Red Hat Bugzilla ? Bug 1218351 +++ The new ControlPersist feature undesireably closes fds that are loaded by an adhoc LD_PRELOAD applicat...

...t: Portable OpenSSH Version: 8.2p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 3358 --> https://bugzilla.mindrot.org/attachment.cgi?id=3358&action=edit Mark the RDomain configuration option unsupported on non-openbsd builds Experimenting with RDomain configuration option on non-OpenBSD platform prevents sshd from accepting connectio...

...vileges and or do other nasty things. You should not do that. If you aim for the end-user comfort that he does not have to change directory before uploading/downloading files, there is -d switch to the sftp-server, which changes the start directory after startup automatically. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.

Thanks Jakub. How does this patch match the OpenSSH source version? Does the patch only applicable to OpenSSH version 6.6.1, or does other version available as well? Thanks. On Fri, Dec 4, 2015 at 4:26 AM, Jakub Jelen <jjelen at redhat.com> wrote: > > On 12/04/2015 03:26 AM, security veteran wrote: > >> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to >> make it FIPS complaint? >> >> 4. Does the RedHat OpenSSH FIPS modules ( >> http://csrc.nist...

On Wed, 2 Nov 2016, Stuart Henderson wrote: > On 2016-11-02, Jakub Jelen <jjelen at redhat.com> wrote: > > The current set of patches are rebased on current upstream is attached > > with few more tweaks needed to build, pass testsuite and make it work. > > The upstream review and insight would be helpful. > > Since these are going to bre...

On Fri, 2019-03-29 at 12:29 +0100, Jakub Jelen wrote: > On Wed, 2019-03-27 at 22:00 +1100, Damien Miller wrote: > > Hi, > > > > OpenSSH 8.0p1 is almost ready for release, so we would appreciate > > testing > > on as many platforms and systems as possible. > > > > Snapshot releases for portable Open...

...hose cases. > > Please suggest > > > > Regards, > > Ivan. > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.

...of OpenSC 0.18.0 [1], which is no longer allowing the workflow OpenSSH is using. Also in the #2817, there is a resurrection of the soft-pkcs11 module in regress testsuite, which can be later extended to verify also other use cases. [1] https://github.com/OpenSC/OpenSC/pull/1256 Thanks, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.

...like this -- I would have to check). So again, comments, suggestions and feedback welcomed. I am not sure if there is some other mailing list to get more attention from other OpenBSD developers or this one is fine. Thanks, Jakub > -m > > Am Di., 16. Juni 2020 um 18:48 Uhr schrieb Jakub Jelen < > jjelen at redhat.com>: > > Hello all, > > > > I believe we all can agree that scp is ugly protocol carried for > > ages > > only for its simplicity of its usage and really no dependencies as > > it > > is installed together with every ssh clie...

Hi. I found out the recent roaming vulnerability, but I want to enable it on the server regardless of the security concern. Can I specify the timeout etc... for the client to attempt and reconnect? Will it use the existing settings for the purpose (ConnectTimeout, ServerAliveInterval etc... )?

...le kernel, it is implemented using socketcall() syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and therefore fails hard. See attached patch with proposed patch (deny is intentionally after allowing the SYS_SHUTDOWN). Can we have it fixed in OpenSSH portable? Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-7.4p1-sandbox-ppc64le.patch Type: text/x-patch Size: 461 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/201...