similar to: SSH1 security with Kerb5

please test Olaf Kirch's patch. it looks fine to me, but i don't to K5. i'd like to see this in the next release. thx -m -------------- next part -------------- --- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002 +++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002 @@ -73,18 +73,17 @@ * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char

Hey, I just subscribed to this list, so apologies in advance if this has been asked already (although I haven't found mention in the archives after a cursory search). I notice that there's no Kerb5 support in 2.3.0p1. Is anyone working on getting support in there for v1 and v2 connections, or is this something I'm going to have to do myself? Also, I've just

I see that commercial SSH version it is possible to run sshd in SSH1 using DES (i.e, accepting SSH-DES clients). I understand from Damien Miller that Cisco routers also run in only SSH1 DES mode. Is it possible in openSSH to configure sshd (compile-time/runtime) to run sshd in SSH1 or SSH2 mode and accept SSH1 or SSH2 DES clients ? [I would like to be able to run sshd in SSH1/DES mode ] Is

Hi, OpenSSH git master now disabled SSH protocol 1 at compile time by default. If you want it back, then you'll need to pass --with-ssh1 to configure before you build. We expect to ship this configuration for openssh-6.9 in a few months. -d

No, I just think 15 years or so is more than enough time to have addressed the issue. On Thu, Mar 26, 2015 at 14:05:08 -0700, Dan Kaminsky wrote: > So, this isn't your problem and you don't respect the people's whose > problem it is. > > On Thu, Mar 26, 2015 at 12:43 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote: > > > On Thu, Mar 26, 2015 at 11:55:18

Hi, the OpenSSH installation script for Cygwin still creates a SSH1 host key by default. My question is, wouldn't it make more sense to drop all auto-generation of SSH1 keys from the default installation procedure? I mean, nobody should use SSH1 anymore, right? Or should the script stick to it for some reason? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat

On Thu, Mar 26, 2015 at 11:55:18 -0700, Dan Kaminsky wrote: > You're right. My argument the is the next build of OpenSSH should be > OpenSSH 7, and the one after that 8, then 9, then 10. No minor releases? > Sure, go ahead. Deprecate the point, > > Do you manage any machines running SSHv1? > If by "running" you mean accepting SSH1, of course not. From a

On Thu, Mar 26, 2015 at 10:19:05 -0700, Dan Kaminsky wrote: > Communication is a two way street. If OpenSSH wants to go down the route > of single releases, like the browsers did, it can remove its minor numbers, > like the browsers did. > There's no question of "going down the route." This has been the practice with OpenSSH for many years -- if not from the beginning.

Hello, I was searching for this information virtually everywhere, but as I couldn't find it - I'm asking here. I was wondering, why setting the Compression Level was removed in SSH2, and if on, is always set to 6. In SSH1 it was possible to set the Compression Level from 1 to 9. I have made some tests with Compression Levels using scp: SSH1, compression 9 (highest available for

On Solaris 8, I have ssh 3.1.0 and on other box Sol 7 I have 1.2.26 (min version for comtable with ssh 3), I checked also /etc/ssh2/sshd2_config file ## SSH1 compatibility # Ssh1Compatibility <set by configure by default> # Sshd1Path <set by configure by default 2) generate key for ssh3 # ssh-keygen2 -P /etc/ssh2/hostkey

https://bugzilla.mindrot.org/show_bug.cgi?id=2343 Bug ID: 2343 Summary: test_fuzz.c won't compile if ssh1 support is disabled Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Build system Assignee:

If an ssh1 client initiates challenge-response authentication but does not submit a response to the challenge, and instead switches to some other authentication method, verify_response() will never run, and the kbdint device context will never be freed. In some cases (such as when the FreeBSD PAM authentication code is being used) this may cause a resource leak leading to a denial of service.

I think I've found a bug with sshd handling audit events for commands (like scp) over ssh1 connections. Specifically, after updating to a recent FreeBSD 6.x with audit support, I'm getting log messages like these when using scp over ssh1: Sep 12 14:13:16 <auth.info> bm55 sshd[12335]: Accepted rsa for xxx from A.B.C.D port 2981 Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]:

OK, with this additional information I can now reproduce it. Based on some quick experiments it seems to be triggered when sshd is built --with-ssh1 and the config does not *load* a Protocol 1 host key. Works: Protocol=1,2 + Hostkey not specified Protocol=1,2 + Hostkeys for both protocols specified. Doesn't work: Protocol=2 + Hostkey not specified. Protocol=1,2 + Hostkeys specified only for

On Tue, Mar 24, 2015 at 10:37 PM, Dan Kaminsky <dan at doxpara.com> wrote: > On Tuesday, March 24, 2015, Damien Miller <djm at mindrot.org> wrote: > >> On Tue, 24 Mar 2015, Dan Kaminsky wrote: >> >> > Hmm. Feels a little aggressive for ssh client. Support heartily for >> sshd. >> >> People who need it can build their own, or OS vendors

Krb5-authentication and Kerb5-TGT-passing is working well with openssh-2.3.0p1. Question: Is there a solution using rdist -P "/usr/local/bin/ssh" without the need for RhostRSAAuthentication, RSAAuthentication or using the Kerberos r-command set? The objective is to do away with ".rhosts/.shost" and private-key authentication when Kerberos authentication is already in

http://bugzilla.mindrot.org/show_bug.cgi?id=297 ------- Additional Comments From mindrot at downhill.at.eu.org 2002-06-28 00:15 ------- OpenSSH >= 3 does not work well with openssl 0.9.5, recompile against 0.9.6 and your Problem is gone (Fetch src.rpm from RH7.3, compile and install it (--nodeps) temporarily, and rebuild ssh with %define static_libcrypto 1 reinstall the old ssl Version

On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote: > Our ability to influence people who run truly obsolete software is > extremely limited. +1, mostly because those who still use something that outdated in their products are either dead, or simply don't care about their customer's security (which is typical in the embedded devices area). Just by us (or anyone else) saying

I mentioned extensions because I had a few and saw them die. the 40-bit ssl is the web interface for power5 (the so-called ASMI https interface). These ports have no access to "outside", on a separate lan segment. my desktop, not acting as router, can connect to non-Natted and NATted segments. re: use of a stunnel - how does this turn 40-bit https into >40-bit https. Sounds like a

https://bugzilla.mindrot.org/show_bug.cgi?id=2369 Bug ID: 2369 Summary: `ssh-keygen -A` errors on RSA1 when building with SSH1 disabled Product: Portable OpenSSH Version: 6.9p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh-keygen