search for: myproposals

Hello OpenSSH developers, openssh 4.2p1 breaks old openssh clients up to 3.4p1 when they try to use compression: # ssh-3.4p1 -C remote-host-with-4.2p1 pwd no matching comp found: client zlib server none,zlib at openssh.com option "-vv" shows ... debug2: kex_parse_kexinit: zlib ... debug2: kex_parse_kexinit: none,zlib at openssh.com ... debug2: mac_init: found hmac-md5 no

...cs = NULL; + options->pkalgorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; options->hostname = NULL; *************** *** 797,802 **** --- 809,815 ---- options->cipher = SSH_CIPHER_NOT_SET; /* options->ciphers, default set in myproposals.h */ /* options->macs, default set in myproposals.h */ + /* options->pkalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2|SSH_PROTO_1_PREFERRED; if (options->num_identity_files == 0) { ***...

https://bugzilla.mindrot.org/show_bug.cgi?id=2527 Bug ID: 2527 Summary: default algorithms mismatch between man pages and myproposal.h Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: Documentation

this (uncomplete) patch makes various features compile time options and saves up to 24K in the resulting ssh/sshd binaries. i don't know whether this should be added to the CVS since it makes the code less readable. perhaps WITH_COMPRESSION should be added, since it removes the dependency on libz -m Index: Makefile.inc =================================================================== RCS

Hi, So I screwed up when writing the support for the curve25519 KEX method that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left leading zero bytes where they should have been skipped. The impact of this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a peer that implements curve25519-sha256 at libssh.org properly about 0.2% of the time (one in every 512ish

The attached patches fixes and cleans up the build when configured with --without-openssl. Summary: * Fix KEX_SERVER_ENCRYPT macro in myproposal.h * Fix unresolved symbols in ssh-keygen.c * Isolate openssl code and extend WITH_OPENSSL wrappers around it * Make ed25519 default key type in ssh-keygen when configured --without-openssl -------------- next part -------------- A non-text attachment was

On 2020-02-05 at 20:39 -0500, Phil Pennock wrote: > On 2020-02-06 at 10:29 +1100, Damien Miller wrote: > > OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a feature release. > > > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These > This actually affects me:

Hi there, I noticed that hmac-ripemd160 and hmac-ripemd160 at openssh.com are not listed in the OpenSSH protocols file, yet they are listed in myproposal.h. I was wondering whether this is intentional, if yes, what the rationale behind this is? Thanks, Max

From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc> The "zstd at breakpoint.cc" compression algorithm enables ZSTD based compression as defined in RFC8478. The compression is delayed until the server sends the SSH_MSG_USERAUTH_SUCCESS which is the same time as with the "zlib at openssh.com" method. Signed-off-by: Sebastian Andrzej Siewior <sebastian at

Hello everyone.. I am fairly new to the patching format.. so I just decided to post a basic info about how to remove group1 and group14 diffie key exchange in OpenSSH. I know that they are listed as required in RFC 4253 but I don't want a client to have the choice to use a 1024 bit prime for the key exchange. If someone is getting into my system.. they should upgrade to a new client. I am a

https://bugzilla.mindrot.org/show_bug.cgi?id=2466 Bug ID: 2466 Summary: Cipher defines from opensslconf.h Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: Linux Status: NEW Severity: minor Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org

Here is a quick patch against openssh-2.5.1p1 to add a new config option (pkalg) for the ssh client allowing the selection of which public keys are obtained/verified. --cut-here- diff -c3 -r orig/openssh-2.5.1p1/key.c openssh-2.5.1p1/key.c *** orig/openssh-2.5.1p1/key.c Mon Feb 5 18:16:28 2001 --- openssh-2.5.1p1/key.c Sun Mar 11 23:10:10 2001 *************** *** 534,539 **** --- 534,567 ----

I added ZSTD support to OpenSSH roughly three years ago and I've been playing with it ever since. The nice part is that ZSTD achieves reasonable compression (like zlib) but consumes little CPU so it is unlikely that compression becomes the bottle neck of a transfer. The compression overhead (CPU) is negligible even when uncompressed data is tunneled over the SSH connection (SOCKS proxy, port

has anyone noticed a performance gain with protocol 2? -David Higdon

Dear all, I am currently implementing an experimental key exchange (KEX) algorithm. Unlike current algorithms like DH, mine needs to be able to fail gracefully, and in case of failure, continue with whatever algorithm would have been negotiated if mine was not selected. My strategy for graceful failure is to remove my KEX algorithm from myproposal[KEX_DEFAULT_KEX] and to initiate a new key

Hello, well it''s | Rev: || 11096:745a39c852ab tip 11094:e34042dabbd8 | Auth: dtucker | Date: Tue, 11 Jun 2013 02:10:02 +0000 - (dtucker) [myproposal.h] Make the conditional algorithm support consistent and add some comments so it''s clear what goes where. Note it was still advertised in the 6.3 release notes. Has it been replaced by a git(1) repository? :-))

https://bugzilla.mindrot.org/show_bug.cgi?id=1582 Summary: memory leak in do_ssh2_kex() routine (sshd.c) Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

I ask because the removal of diffie-hellman-group-exchange-sha1 happened accidently in 7.8 due to a mistake in a change to readconf.c. I noticed this and filed a bug about it along with a patch to fix readconf.c to use KEX_CLIENT_* like it used to: https://github.com/openssh/openssh-portable/commit/1b9dd4aa https://bugzilla.mindrot.org/show_bug.cgi?id=2967 Its clear the removal was unintentional

https://bugzilla.mindrot.org/show_bug.cgi?id=2388 Bug ID: 2388 Summary: build fixups for --without-openssl Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Build system Assignee: unassigned-bugs at

I hacked zstd support into OpenSSH a while ago and just started to clean it up in the recent days. The cleanup includes configuration support among other things that I did not have. During testing I noticed the following differences compared to zlib: - highly interactive shell output (as in refreshed at a _very_ high rate) may result in higher bandwidth compared to zlib. Since zstd is quicker