search for: jtesta

Has anyone done any initial research into how much effort it would take to port OpenSSH to Rust? If not, I might find that interesting to start. (Mind you, this would be just to get a handle on the project, not do the full porting work--unless it somehow turns out to be very easy.) - Joe -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security

Hi, Are there any open source tools to keep track of ssh sessions? For example, if a specific user is ssh logging to remote server and what commands or scripts are being run. Basically, i need to log all users sessions. Thanks in Advance and i look forward to hearing from you. Best Regards, Kaushal

Hi Kaushal, I maintain a set of SSH hardening guides for various platforms, including RHEL 8. You can find them here: https://ssh-audit.com/hardening_guides.html - Joe -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security On Thu, 2024-01-25 at 18:39 +0530, Kaushal Shriyan wrote: > Hi, > > I am running the below servers on Red Hat Enterprise

On 09/22/2017 03:22 PM, Daniel Kahn Gillmor wrote: > On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote: >> I gotta say... having a fallback mechanism here seems pretty >> strange. The entire point of the group exchange is to use a dynamic >> group and not a static one. > > fwiw, i think dynamic groups for DHE key exchange is intrinsically > problematic

i'm not sure if anything has changed since https://marc.info/?l=openbsd-misc&m=151233345723889&w=2 On Wed, Jun 26, 2024 at 9:32?AM Joseph S. Testa II <jtesta at positronsecurity.com> wrote: > > Has anyone done any initial research into how much effort it would take > to port OpenSSH to Rust? If not, I might find that interesting to > start. (Mind you, this would be just to get a handle on the project, > not do the full porting work--...

...ies logging Product: Portable OpenSSH Version: -current Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: jtesta at positronsecurity.com As mentioned in https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-June/041416.html, the logging related to PerSourcePenalties (https://github.com/openssh/openssh-portable/blob/V_9_8/sshd.c#L606) was observed to output 73MB per minute when a very high rate of connect...

...art of implementing the ext-info-in-auth at openssh.com extension (https://anongit.mindrot.org/openssh.git/commit/?id=a7ed931caeb68947d30af8a795f4108b6efad761). Could this web page be corrected in some way? (This rabbit-hole brought to you by https://bugs.debian.org/1082730 and https://github.com/jtesta/ssh-audit/issues/291.) Thanks, -- Colin Watson (he/him) [cjwatson at debian.org]

On 09/22/2017 06:55 PM, Tim Broberg wrote: > Do I understand correctly, that you find the security of group 14 unacceptable and yet you left it enabled? In the end, I'm trying to ensure a minimum equivalent of 128-bits of security. Group14 is 2048-bits, which roughly translates to 112-bits. [1] To this end, I disabled the "diffie-hellman-group14-sha1" and

...her than P-256 in the wild. Yubicos U2F only keys for example are currently listed on their site as only having P-256 support. I imagine multi-purpose keys might have more expansive support though. RS256 also appears to be marked as deprecated. On Sat, Nov 2, 2019 at 7:54 PM Joseph S. Testa II <jtesta at positronsecurity.com> wrote: > > On 11/1/19 4:36 AM, Damien Miller wrote: > > new key type "sk-ecdsa-sha2-nistp256 at openssh.com" > > Was ECDSA with NIST P-256 strictly necessary, or would Ed25519 be > possible as well? > > Thanks, > - Joe &gt...

Hi, I admin a box that has Subversion users authenticate with public keys to a restricted 'svnuser' account. The comment field of all the keys describe who they belong to (it has their usernames), but unfortunately, sshd does not log this when a user successfully authenticates: Jun 21 08:18:22 localhost sshd[23636]: Accepted publickey for svnuser from x.x.x.x port 2065 ssh2 Jun

On 09/24/2017 12:21 AM, Mark D. Baushke wrote: > I suggest you upgrade to a more recent edition of the OpenSSH software. > The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released > very soon. This problem is in v7.5 and v7.6. See dh.c:436. > OpenSSH 6.6 was first released on October 6, 2014. I brought up v6.6 to give an example that older clients wouldn't be

Hi, As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" or "ecdsa-sk" for short (the "sk" stands for "security key"). If you're not familiar with U2F, this is an open standard for making inexpensive hardware security tokens. These are easily the cheapest way

In the upcoming v9.8 release notes I see "the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server." Has this new PerSourcePenalties config directive been tested against the DHEat attack? - Joe On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote: > A few days ago, I

On Wed, 2024-06-26 at 02:58 +0200, Thorsten Glaser wrote: > On Tue, 25 Jun 2024, Joseph S. Testa II wrote: > > > the way down to 6%! Additionally, I noticed that the systemd- > > journal > > You should test without that thing as well. It?s reportedly a > known bottleneck (someone on, I think, IRC said that regarding > a different problem some days ago,

On Wed, 2024-06-26 at 04:32 +0200, Thorsten Glaser wrote: > If they get under attack, they?d better do. And if you?re ignoring > a known bottleneck, the results will probably not be very useful? > besides, not everyone is systemd-infested. The primary responsibility falls on system designers to choose reasonable default settings.

I'd like to withdraw the last set of metrics I reported. I couldn't reproduce some of them, and I suspect I made a mistake during testing. Being more careful this time, I set up another fully updated Ubuntu 24.04 VM with 4 vCPUs running openssh-SNAP-20240628.tar.gz with all defaults unchanged. When running using "ssh-audit.py --conn-rate-test=16 target_host", the system idle

Hi all, Back in September 2018, I started a thread about implementing the X448 key exchange (see https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-September/037183.html). In February 2020, RFC 8731 (formally specifying X448 in SSH) has been finalized: https://www.ietf.org/rfc/rfc8731.txt. I thought I'd start this conversation up again to see if the interest level has

On Wed, 2024-06-19 at 09:19 -0400, chris wrote: > real world example (current snapshot of portable on linux v. dheater) Thanks for this. However, much more extensive testing would be needed to show it is a complete solution. In my original research article, I used CPU idle time as the main metric. Also, I showed that very low- latency network links could bypass the existing countermeasures.

A few days ago, I published an article analyzing the susceptibility of the DHEat denial-of-service vulnerability against default OpenSSH settings in cloud environments. I thought those on this list might be interested: https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/ A short summary: the default MaxStartup setting is fully ineffective

What I'm hearing in this thread is: "a minority of people on planet Earth have a problem with the open-source implementation of ED25519, but instead of letting that minority choose to re-implement it when/if they want to, the rest of the community needs to stall their progress in improving security." And isn't the ED25519 code is already there on their machine? So isn't