search for: persourcepenalty

https://bugzilla.mindrot.org/show_bug.cgi?id=3705 Bug ID: 3705 Summary: Disk space exhaustion from PerSourcePenalties logging Product: Portable OpenSSH Version: -current Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee:

Dear colleagues, Can we somehow improve the UX related to a relatively freshly introduced PerSourcePenalties option? A popular pattern implies installation of the users' keys to a freshly installed machine using ssh-copy-id script. The default settings don't allow this command to work normally and causes login failures. A reasonable workaround could be adding some threshold for a number

On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > Dear colleagues, > > Can we somehow improve the UX related to a relatively freshly > introduced PerSourcePenalties option? > > A popular pattern implies installation of the users' keys to a freshly > installed machine using ssh-copy-id script. The default settings don't > allow this command to work normally and

https://bugzilla.mindrot.org/show_bug.cgi?id=3766 Bug ID: 3766 Summary: openssh PerSourcePenalties and pam_nologin interaction Product: Portable OpenSSH Version: 9.8p1 Hardware: ARM64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee:

Damien Miller <djm at mindrot.org> writes: > On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > >> Dear colleagues, >> >> Can we somehow improve the UX related to a relatively freshly >> introduced PerSourcePenalties option? >> >> A popular pattern implies installation of the users' keys to a freshly >> installed machine using ssh-copy-id

Hi, A few people have requested rate-limiting for PerSourcePenalties logging. These patches add it. Please give them a try if you're interested in this feature. -d -------------- next part --------------

On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote: > I suppose in the next few days, I'll try reproducing my original > steps > with the new version and see what happens. I managed to do some limited testing with a local VM, and the results are... interesting. I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated Ubuntu Linux 24.04 LTS VM with 1 vCPU.

https://bugzilla.mindrot.org/show_bug.cgi?id=3771 Bug ID: 3771 Summary: Will future versions of openssh provide DDoS attack defense for the DH algorithm?:CVE-2024-41996 Product: Portable OpenSSH Version: 9.9p1 Hardware: Other OS: All Status: NEW Severity: enhancement

...n: https://man.openbsd.org/sshd_config.5#PerSourcePenalties > overflow:mode > Controls how the server behaves when max-sources4 or max-sources6 > is exceeded. There are two operating modes: deny-all, which > denies all incoming connections other than those exempted via > PerSourcePenaltyExemptList until a penalty expires, and permissive, > which allows new connections by removing existing penalties early > (default: permissive). Note that client penalties below the min > threshold count against the total number of tracked penalties. IPv4 > and IPv6 addresses...

In the upcoming v9.8 release notes I see "the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server." Has this new PerSourcePenalties config directive been tested against the DHEat attack? - Joe On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote: > A few days ago, I

I'd like to withdraw the last set of metrics I reported. I couldn't reproduce some of them, and I suspect I made a mistake during testing. Being more careful this time, I set up another fully updated Ubuntu 24.04 VM with 4 vCPUs running openssh-SNAP-20240628.tar.gz with all defaults unchanged. When running using "ssh-audit.py --conn-rate-test=16 target_host", the system idle

https://bugzilla.mindrot.org/show_bug.cgi?id=3709 Bug ID: 3709 Summary: PerSourceMaxStartups no longer works as advertised Product: Portable OpenSSH Version: 9.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at

On Tue, 18 Jun 2024, Joseph S. Testa II wrote: > In the upcoming v9.8 release notes I see "the server will now block > client addresses that repeatedly fail authentication, repeatedly > connect without ever completing authentication or that crash the > server." Has this new PerSourcePenalties config directive been tested > against the DHEat attack? Not explicitly but

On Wed, 2024-06-19 at 09:19 -0400, chris wrote: > real world example (current snapshot of portable on linux v. dheater) Thanks for this. However, much more extensive testing would be needed to show it is a complete solution. In my original research article, I used CPU idle time as the main metric. Also, I showed that very low- latency network links could bypass the existing countermeasures.

...prising. This change will not prevent > scp/sftp from using an existing multiplexing session if one had > already been created. GHPR557 > > * sftp(1), ssh(1): fix a number possible NULL dereference bugs, > including Coverity CIDs 405019 and 477813. > > * sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty > when LoginGraceTime was exceeded. bz3797 > > * sshd(8): fix "Match invalid-user" from incorrectly being > activated in initial configuration pass when no other predicates > were present on the match line > > * s...

...on, which some users found surprising. This change will not prevent scp/sftp from using an existing multiplexing session if one had already been created. GHPR557 * sftp(1), ssh(1): fix a number possible NULL dereference bugs, including Coverity CIDs 405019 and 477813. * sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty when LoginGraceTime was exceeded. bz3797 * sshd(8): fix "Match invalid-user" from incorrectly being activated in initial configuration pass when no other predicates were present on the match line * sshd(8): fix debug logging of user...

On 6/19/24 4:11 PM, Joseph S. Testa II wrote: > On Wed, 2024-06-19 at 09:19 -0400, chris wrote: >> real world example (current snapshot of portable on linux v. dheater) > > Thanks for this. However, much more extensive testing would be needed > to show it is a complete solution. In my original research article, I > used CPU idle time as the main metric. Also, I showed that

https://bugzilla.mindrot.org/show_bug.cgi?id=3711 Bug ID: 3711 Summary: How do you defend against the D (HE) ater attack? Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at

OpenSSH 9.9p2 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested

OpenSSH 9.9p2 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested