similar to: Channel Patch

The current code for channel.c creates an array of Channel structs (initially set to NULL) which is then iterated through, in full, every time a channel needs to be dealt with. If only one channel is in use, which is relatively common, the code still loops through the entire array. This patch creates a linked list of pointers to these structs and the code steps through the linked list. Since

Using stock OpenSSH 4.7 I found different behavior when trying to specify the use of the 'none' cipher depending on the command line option nomenclature. This is under linux 2.6.19-web100 using -ocipher=none [root at delta openssh-4.7p1-hpnv19]# /home/rapier/ssh47/bin/scp -S /home/rapier/ssh47/bin/ssh -ocipher=none -P 2222 ~rapier/2gb rapier at localhost:/dev/null rapier at

On my test systems: Ubuntu 22.04 with GCC 11.4 and OpenSSL 3.0.2 on AMD: PASS Fedora 39 with GCC 12.3.1 and OpenSSL 3.0.9 on Intel: PASS OS X 14.3.1 with clang 15.0.0 on Apple M2 (--without-openssl): FAIL The failure is with "make tests" specifically when it runs /Users/rapier/openssh-portable/ssh-keygen -if /Users/rapier/openssh-portable/regress/rsa_ssh2.prv | diff -

That's true for block ciphers, but ChaCha20+poly1305 is a stream cipher. On Wed, 29 Mar 2023, Robinson, Herbie wrote: > > I?m hardly an expert on this, but if I remember correctly, the rekey rate > for good security is mostly dependent on the cipher block size.? I left my > reference books at home; so, I can?t come up with a reference for you, but I > would take Chris?

On Thu, Feb 8, 2024 at 1:18?PM Chris Rapier <rapier at psc.edu> wrote: > > I know that there are some methods to use federated identities (e.g. > OAuth2) with SSH authentication but, from what I've seen, they largely > seem clunky and require users to interact with web browsers to get one > time tokens. Which is sort of acceptable for occasional logins but > doesn't

I'm hardly an expert on this, but if I remember correctly, the rekey rate for good security is mostly dependent on the cipher block size. I left my reference books at home; so, I can't come up with a reference for you, but I would take Chris' "I'm deeply unsure of what impact that would have on the security of the cipher" comment seriously and switch to a cipher with a

On Thu, Aug 3, 2023 at 2:35?PM Chris Rapier <rapier at psc.edu> wrote: > > Howdy all, > > So, one night over beers I was telling a friend how you could use the > timing between key presses on a type writer to extract information. > Basically, you make some assumptions about the person typing (touch > typing at so many words per second and then fuzzing the parameters

Practically speaking, most popular IAM and SSO solutions offer OIDC SAML tokens but do not offer Kerberos tickets.? OpenID Connect is a standard which itself is based on RFC6749 (OAuth2). This provides a compelling reason to support it in addition to Kerberos.? I'll also note that OIDC tokens are easy to validate without a bidirectional trust relationship between the IdP and RP. SSH

Hi Chris, On 18/10/2023 19:13, Chris Rapier wrote: > Do any of you have a wish list of things you'd like to see in ssh? get Roumen Petrovs pkissh implementation merged and maintained upstream I know this is a huge page with little chances to get accepted, but I'd like to mention this, because it has been on my personal wish list for a long time. Sure, I can install pkissh, but if

Specifying a RemoteForward of 0:example.com:1234 dynamically allocates the listen port on the server, and then reports it to ... the client! Where it is practically useless. Was this someone's idea of a joke? Presumably not--there are some technical obstacles to reporting it to the remote process. I'd like to help solve that problem. The natural way to me would be to extend the syntax

I was able to get it to compile but the tests are failing. When I run the test as root I get: run test connect.sh ... Connection closed by 127.0.0.1 ssh connect with protocol 1 failed failed simple connect make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 However, when I run as a normal user I got: test remote exit status: proto 1 status 0

Howdy all, I know that the OpenSSH team has made a clear and well justified decision regarding interoperability with OpenSSL 1.1. I respect that entirely. That said, I've recently had to deal with a couple of users who had a specific set of requirements with building OpenSSH 7.7 using patches for OpenSSL 1.1 found in the slackware package.

On Mon, 7 Aug 2023, Chris Rapier wrote: > > The broader issue of hiding all potential keystroke timing is not yet fixed. > > Could some level of obfuscation come from enabling Nagle for interactive > sessions that has an associated TTY? Though that would be of limited > usefulness in low RTT environments. I don't like the idea of having a steady > drip of packets as that

On Thu, 3 Aug 2023, Chris Rapier wrote: > Howdy all, > > So, one night over beers I was telling a friend how you could use the timing > between key presses on a type writer to extract information. Basically, you > make some assumptions about the person typing (touch typing at so many words > per second and then fuzzing the parameters until words come out). > > The I

https://bugzilla.mindrot.org/show_bug.cgi?id=2079 Bug ID: 2079 Summary: openssh 6.1/6.2 disconnect due to channel bug Classification: Unclassified Product: Portable OpenSSH Version: 6.1p1 Hardware: amd64 OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh

http://www.psc.edu/networking/projects/hpn-ssh/ Mike Stevens and I just released a new set of high performance networking patches for OpenSSH 3.9p1, 4.0p1, and 4.1p1. These patches will provide the same set of functionality across all 3 revisions. New functionality includes 1) HPN performance even without both sides of the connection being HPN enabled. As long as the bulk data flow is in the

On Wed, 29 Mar 2023, Chris Rapier wrote: > I was wondering if there was something specific to the internal chacha20 > cipher as opposed to OpenSSL implementation. > > I can't just change the block size because it breaks compatibility. I can do > something like as a hack (though it would probably be better to do it with the > compat function): > > if

The HPN12 patch available from http://www.psc.edu/networking/projects/hpn-ssh addresses performance issues with bulk data transfer over high bandwidth delay paths. By adjusting internal flow control buffers to better fit the outstanding data capacity of the path significant improvements in bulk data throughput performance are achieved. In other words, transfers over the internet are a lot

Howdy, As a note, we now have HPN patch for OpenSSH 4.2 at http://www.psc.edu/networking/projects/hpn-ssh/ Its still part of the last set of patches (HPN11) so there aren't any additional changes in the code. It patches, configures, compiles, and passes make tests without a problem. I've not done extensive testing for this version of openssh but I don't foresee any problems. I

Hi, With the 20100127 snapshot, there appears to be a bug in the multiplexing support that causes the master to die under some circumstances when a slave session exits. The error messages that I am getting are: cfe1.imorgan> exit Connection to cfe1 closed. $ channel_by_id: 2: bad id: channel free client_input_channel_req: channel 2: unknown channel channel_by_id: 2: bad id: channel free