search for: timeheart

...han one Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: ronf at timeheart.net Created attachment 2330 --> https://bugzilla.mindrot.org/attachment.cgi?id=2330&action=edit Patch for remote forwarding of dynamic ports I recently ran across a problem with remote port forwarding in OpenSSH when trying to use dynamic ports. While it is possible to use OpenSSH to req...

I could not find anything in the mailing list archive or bug tracker. In ssh2.h, the value (4) is re-used 148 #define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED 3 149 #define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED 4 150 #define SSH2_DISCONNECT_RESERVED 4 151 #define SSH2_DISCONNECT_MAC_ERROR 5 Is this intentional? Thanks, Noah Zalev

...keys Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: ronf at timeheart.net Created attachment 2567 --> https://bugzilla.mindrot.org/attachment.cgi?id=2567&action=edit Patch for sshkey.c in OpenSSH 6.7p1 I was trying out the new OpenSSH private key format and I ran into a problem when trying to work with keys encrypted in aes128-gcm and aes256-gcm format. Wh...

...ng ?change-pin? in yubico-piv-tool, but that didn?t seem to make a difference. I still got the same error after successfully changing the PIN. This is a recently purchased YubiKey 5 NFC (within the last month or so), reporting version 5.2.4 in ?yubico-piv-tool -a status?. -- Ron Frederick ronf at timeheart.net

Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins,

I would like to suggest adding a fallback in the event that somehow the sshd_config port number is invalid. Example: Port != (1<= or >=65535) By default fall by to port 22, and spit out an error. Same would go for if the new port is already in use, fall back to port 22 and spit out an error. Why is this a good idea? Would be a good idea because people are human and make mistakes, and you

On Sun, May 31, 2015 at 3:37 AM, Ron Frederick <ronf at timeheart.net> wrote: > On May 29, 2015, at 12:12 AM, Damien Miller <djm at mindrot.org> wrote: > > OpenSSH 6.9 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains > > some substantial new features...

...Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: ronf at timeheart.net While experimenting with the RekeyLimit option, I ran across a small bug in the convtime() function. When I entered a time value of '1m30s', I found that it converted this to 1860 seconds instead of the expected 90 seconds. Entering it as '30s1m' worked fine as a workaround (as...

...id in 7.5, as you have no idea where the next request message on the connection will start. It?s only the case where you try to parse the data inside these values (specifically the key blob in this case) that it would be safe to call error() and still read another request. -- Ron Frederick ronf at timeheart.net

...t would be better to let you know the port is wrong and fail to start until you fixed the problem and selected a valid non-standard port." Is there any reason something like this isn't implemented already? Could it be implemented? On Thu, Jul 30, 2015 at 2:02 PM Ron Frederick <ronf at timeheart.net> wrote: > On Jul 30, 2015, at 1:30 PM, Stop Spazzing <stopspazzing at gmail.com> wrote: > > I would like to suggest adding a fallback in the event that somehow the > sshd_config port number is invalid. > > Example: > Port != (1<= or >=65535) > > By de...

...creating the client context, I?m also setting the integrity flag and have an option to set the delegate_creds flag (and it works both with & without that, properly forwarding the creds when it is set), and I?m also explicitly setting the mechanism to the Kerberos OID. -- Ron Frederick ronf at timeheart.net

...permit-user-rc no-touch-required I?m guessing this is not the intended behavior, and that ?no-touch-required? should have been recognized as an extension without the ?extension:? prefix, just like the other options such as ?no-agent-forwarding?. -- Ron Frederick ronf at timeheart.net

...it gives me, and it doesn?t return an error or decrement the number of available PIN retries when I view the key?s status. I?m doing these tests against OpenSSH portable HEAD on a Mac with a Yubikey 5 NFC (connected via USB). Any thoughts on what I might be doing wrong? -- Ron Frederick ronf at timeheart.net

...on?t see any way to build that as a library any more. In fact, the only implementation I can find now is the one in sk-usbhid.c which seems to be used when ??with-security-key-builtin? is set in configure. Is there any way that this support can still be built as a library? -- Ron Frederick ronf at timeheart.net

...back? I?ll probably need to change my test code either way so that it doesn?t break when testing against OpenSSH 7.6p1, but I think this change might be worth reverting (or reworking in some way to preserve the previous error vs. fatal distinction). Thanks for listening! -- Ron Frederick ronf at timeheart.net

...Product: Portable OpenSSH Version: -current Hardware: All OS: Mac OS X Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: ronf at timeheart.net Created attachment 2642 --> https://bugzilla.mindrot.org/attachment.cgi?id=2642&action=edit Log of running "make tests" When compiling and running unit tests on the latest OpenSSH 6.9p1 snapshot from 05/31, I saw a number of compiler warnings output related to the use of de...

...L, send_tok, flags, NULL); I don?t see anything in the RFC 4462 errata about this recommendation having changed. Does anyone know why OpenSSH enables this? It makes sense for GSSAPI key exchange (which OpenSSH doesn?t seem to implement), but not for GSSAPI authentication. -- Ron Frederick ronf at timeheart.net

...when importing non-SK keys seems to cause the add operation to fail. That?s easy enough to prevent in the client code, but the code would be simpler if it was always safe to add the extension (when a middleware path was available) regardless of the type of key being added. -- Ron Frederick ronf at timeheart.net

...te key encoding: string "sk-ssh-ed25519 at openssh.com" string public key string application (user-specified, but typically "ssh:") uint32 flags string key_handle string reserved This should be a uint8 for the flags, matching the ECDSA case. -- Ron Frederick ronf at timeheart.net

...AES256. It also still prefers MD5 over everything else for hashing, and SHA1 over SHA2. While it still makes sense to support MD5 for backward compatibility (and indeed the SSH RFC requires it), I?m not sure it still makes sense to prefer either it or SHA1 at this point. -- Ron Frederick ronf at timeheart.net