search for: mancha1

...rce records Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mancha1 at zoho.com Created attachment 2420 --> https://bugzilla.mindrot.org/attachment.cgi?id=2420&action=edit Patch to add Ed25519 support in SSHFP RRs Attached patch adds support for Ed25519 keys (introduced in OpenSSH 6.5) for use in SSHFP DNS resource records. Though not yet allocated by I...

...ControlPath Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mancha1 at zoho.com Created attachment 2418 --> https://bugzilla.mindrot.org/attachment.cgi?id=2418&action=edit Enhancement patch When combining %h, %r, and %p (recommended for uniqueness) in ControlPath, long remote usernames and/or hostnames can cause the expansion to bump up against UNIX_PATH...

https://bugzilla.mindrot.org/show_bug.cgi?id=2197 Bug ID: 2197 Summary: Add ED25519 support to SSHFP dns record Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

Hello. Subramanian Moonesamy has gotten the ball rolling to include Ed25519 in IANA's registry for SSHFP key types [1]. I've opened a bug report [2] that includes a patch that adds the needed support code and provisionally assigns Ed25519 a value of 4 (values 1,2,3 reserved for RSA, DSA, and ECDA, respectively) [3]. The enhancement request/bug is meant to keep the issue on the radar.

Hi. Last night on an irc openssh channel, a user brought up a use case involving cluster trees and very descriptive (i.e. long) hierarchical hostnames. To make a long story short, his ControlPath (~/.ssh/control-master /%r@%h:%p) was bumping up against UNIX_PATH_MAX. Attached patch adds a new percent-token (%H) that expands to the sha1 digest of the concatenation of host (%h) + port (%p) +

On 23 April 2014 21:43, mancha <mancha1 at zoho.com> wrote: > On Wed, Apr 23, 2014 at 12:26:58PM -0700, Iain Morgan wrote: >> A slightly better solution would be a PAM module that uses the same >> syntax as libwrap. Possibly someone has already written such a module. > > Possibly, but only for platforms which use...

...true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins, there should not be any problem. But if logging is deferred for any reason, then IDS can not detect the attack in timely manner. b. On 23 July 2015 at 01:03, mancha <mancha1 at zoho.com> wrote: > On Wed, Jul 22, 2015 at 07:41:54PM +0000, Scott Neugroschl wrote: >> I read an article today about keyboard interactive auth allowing >> bruteforcing. >> >> I'm afraid I have minimal understanding of what keyboard-interactive >> really d...

I read an article today about keyboard interactive auth allowing bruteforcing. I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

On Wed, May 27, 2015 at 05:08:25PM -0400, Daniel Kahn Gillmor wrote: > On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote: > > Hi Folks, > > > > The generator value of 5 does not lead to a q-ordered subgroup which > > is needed to pass tests in > > > > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf > > I

https://bugzilla.mindrot.org/show_bug.cgi?id=2311 Bug ID: 2311 Summary: simple attack when control channel muxing is used Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: security Priority: P3 Component: ssh Assignee: unassigned-bugs at

On Tue 2015-05-26 14:02:07 -0400, Hubert Kario wrote: > On Tuesday 26 May 2015 13:43:13 Daniel Kahn Gillmor wrote: >> On Tue 2015-05-26 12:57:05 -0400, Hubert Kario wrote: >> > creating composites that will pass even 100000 rounds of Miller-Rabin is >> > relatively simple.... >> > (assuming the values for M-R tests are picked randomly) >> >> Can you

<no_spam_98 <at> yahoo.com> writes: > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692 > > The NIST advisory says that all versions of OpenSSH potentially contain > the flaw. ?But is that really true? ?For example, I looked at the > 3.8.1p1 distribution and didn't find any reference to JPAKE at all. Hi. The NVD advisory is inaccurate. JPAKE

Here's a recently-published paper that describes a flush & reload attack on OpenSSL's ECDSA implementation: http://eprint.iacr.org/2014/140.pdf According to the authors, snooping a single signing round is sufficient to recover the secret key. --mancha

Hello. For the purposes of backporting, can you please confirm the relevant change for the environment variable security fix in 6.6 is: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.270;r2=1.271 FYI, not sure if the request originated with OpenBSD/OpenSSH but this has been assigned CVE-2014-2532. Thanks. --mancha

ESET recently published an interesting post-mortem of the so-called "Operation Windigo" malware campaign [1]. OpenSSH backdoors (codename Linux/Ebury), described by ESET last month [2], are a key component of Windigo's attack surface. --mancha [1] http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf [2]

Have you seen this? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513 --mancha

On Mon, Mar 31, 2014 at 08:40:26AM -0700, no_spam_98 at yahoo.com wrote: > OpenSSH uses its own CTR mode implementation, correct? ?I seem to > recall some discussion about why it hasn't/won't switch over to using > OpenSSL's implementation, but I can't find the thread anymore. > > So... why doesn't OpenSSH use OpenSSL's CTR mode implementation? I believe as

Hello. FYI a very serious OpenSSL flaw was made public today. It has implications for existing OpenSSL key material though no direct impact on OpenSSH. For those interested, here's a good description: http://heartbleed.com/ --mancha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not

FYI ----- Forwarded message from RbN <r.b.n at riseup.net> ----- > Date: Mon, 05 May 2014 19:40:02 +0200 > From: RbN <r.b.n at riseup.net> > To: oss-security at lists.openwall.com > Subject: [oss-security] *Possible* ssh vulnerability > User-Agent: mutt (compatible Hurd 3.11/Windows 0.5) > > Looks like a fake, but I prefer to post it here anyway: >