search for: ronf

On Apr 3, 2025, at 6:02?PM, Darren Tucker <dtucker at dtucker.net> wrote: > On Sat, 29 Mar 2025 at 16:14, Ron Frederick <ronf at timeheart.net <mailto:ronf at timeheart.net>> wrote: >> [...] >> If you don?t get all of the requested ranges in a single request, additional requests can be sent starting at just past the end of the last range previously returned. >> >> What do you think? >...

On Fri, 4 Apr 2025 at 07:07, Ron Frederick <ronf at timeheart.net> wrote: > > On Apr 3, 2025, at 6:02?PM, Darren Tucker <dtucker at dtucker.net> wrote: > > On Sat, 29 Mar 2025 at 16:14, Ron Frederick <ronf at timeheart.net <mailto:ronf at timeheart.net>> wrote: > >> [...] > >> If you don?t get al...

...e more than one Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: ronf at timeheart.net Created attachment 2330 --> https://bugzilla.mindrot.org/attachment.cgi?id=2330&action=edit Patch for remote forwarding of dynamic ports I recently ran across a problem with remote port forwarding in OpenSSH when trying to use dynamic ports. While it is possible to use O...

I could not find anything in the mailing list archive or bug tracker. In ssh2.h, the value (4) is re-used 148 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 149 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 150 #define SSH2_DISCONNECT_RESERVED 4 151 #define SSH2_DISCONNECT_MAC_ERROR 5 Is this intentional? Thanks, Noah Zalev

...n return multiple ranges, but on files with a large number of ranges you may need call this new method multiple times to get the complete list. This allows for the copying to be interleaved with the range requests. The extension looks like the following: uint32 id -- Ron Frederick ronf at timeheart.net

...crypted keys Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: ronf at timeheart.net Created attachment 2567 --> https://bugzilla.mindrot.org/attachment.cgi?id=2567&action=edit Patch for sshkey.c in OpenSSH 6.7p1 I was trying out the new OpenSSH private key format and I ran into a problem when trying to work with keys encrypted in aes128-gcm and aes256-g...

On Sat, 5 Apr 2025 at 09:07, Lionel Cons <lionelcons1972 at gmail.com> wrote: > On Fri, 4 Apr 2025 at 07:07, Ron Frederick <ronf at timeheart.net> wrote: > > > > On Apr 3, 2025, at 6:02?PM, Darren Tucker <dtucker at dtucker.net> wrote: > [...] > > > Damien pointed out that it's possible to do a reasonable but not > perfect sparse file support by memcmp'ing your existing file buffer...

...n not set this flag and just send a GSSAPI_TOKEN message immediately followed by a GSSAPI_MIC message without waiting for a server token (since the authentication is complete as soon as the client token is sent when mutual auth is disabled), I get a failure from OpenSSH: Failed gssapi-with-mic for ronf from 74.93.13.193 port 64645 ssh2 If I turn on mutual authentication in my client context (going against the recommendation in the RFC) and wait for a token to come back from the server before I send the GSSAPI_MIC message, the authentication succeeds. Looking at the OpenSSH source code, I see th...

...ried using ?change-pin? in yubico-piv-tool, but that didn?t seem to make a difference. I still got the same error after successfully changing the PIN. This is a recently purchased YubiKey 5 NFC (within the last month or so), reporting version 5.2.4 in ?yubico-piv-tool -a status?. -- Ron Frederick ronf at timeheart.net

Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins,

I would like to suggest adding a fallback in the event that somehow the sshd_config port number is invalid. Example: Port != (1<= or >=65535) By default fall by to port 22, and spit out an error. Same would go for if the new port is already in use, fall back to port 22 and spit out an error. Why is this a good idea? Would be a good idea because people are human and make mistakes, and you

On Sun, May 31, 2015 at 3:37 AM, Ron Frederick <ronf at timeheart.net> wrote: > On May 29, 2015, at 12:12 AM, Damien Miller <djm at mindrot.org> wrote: > > OpenSSH 6.9 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains > > some substantial...

...version Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: ronf at timeheart.net While experimenting with the RekeyLimit option, I ran across a small bug in the convtime() function. When I entered a time value of '1m30s', I found that it converted this to 1860 seconds instead of the expected 90 seconds. Entering it as '30s1m' worked fine as a w...

...as it did in 7.5, as you have no idea where the next request message on the connection will start. It?s only the case where you try to parse the data inside these values (specifically the key blob in this case) that it would be safe to call error() and still read another request. -- Ron Frederick ronf at timeheart.net

..."It would be better to let you know the port is wrong and fail to start until you fixed the problem and selected a valid non-standard port." Is there any reason something like this isn't implemented already? Could it be implemented? On Thu, Jul 30, 2015 at 2:02 PM Ron Frederick <ronf at timeheart.net> wrote: > On Jul 30, 2015, at 1:30 PM, Stop Spazzing <stopspazzing at gmail.com> wrote: > > I would like to suggest adding a fallback in the event that somehow the > sshd_config port number is invalid. > > Example: > Port != (1<= or >=65535) &g...

...s. When creating the client context, I?m also setting the integrity flag and have an option to set the delegate_creds flag (and it works both with & without that, properly forwarding the creds when it is set), and I?m also explicitly setting the mechanism to the Kerberos OID. -- Ron Frederick ronf at timeheart.net

...ty permit-user-rc no-touch-required I?m guessing this is not the intended behavior, and that ?no-touch-required? should have been recognized as an extension without the ?extension:? prefix, just like the other options such as ?no-agent-forwarding?. -- Ron Frederick ronf at timeheart.net

...N prompt it gives me, and it doesn?t return an error or decrement the number of available PIN retries when I view the key?s status. I?m doing these tests against OpenSSH portable HEAD on a Mac with a Yubikey 5 NFC (connected via USB). Any thoughts on what I might be doing wrong? -- Ron Frederick ronf at timeheart.net

...but I don?t see any way to build that as a library any more. In fact, the only implementation I can find now is the one in sk-usbhid.c which seems to be used when ??with-security-key-builtin? is set in configure. Is there any way that this support can still be built as a library? -- Ron Frederick ronf at timeheart.net

...lg = "rsa-sha2-256"; >> + else if (strcmp(hashalg, "sha512") == 0) >> + sign_alg = "rsa-sha2-512"; >> + } >> >> if (signer != NULL) { >> if ((r = signer(key, &sig, &slen, >> -- >> 2.44.0 -- Ron Frederick ronf at timeheart.net