similar to: Inconsistent none cipher behavior

Dear rsync folks, I'd like to request/suggest that cli options to set TCP send/receive buffers be added to rsync client-side. Summary: I'm aware that a daemon's config-file can set socket options for the server side (e.g. SO_SNDBUF, SO_RCVBUF). That is useful. But when trying to get high-throughput rsync over long paths (i.e. large bandwidth*delay product), since

Hi, There has been some recent work to improve the speed of the Message Authentication Codes (MACs) that are used in OpenSSH. The first improvement is a change from Markus Friedl to reuse the MAC context, rather than reinitialising it for every packet. This saves two calls to the underlying hash function (e.g. SHA1) for each packet. My tests found that this yielded at 12-16% speedup for bulk

Hi- On the pxelinux web page here: http://syslinux.zytor.com/pxe.php Mr. Anvin says the following: " PXELINUX does not support MTFTP, and I have no immediate plans of doing so. It is of course possible to use MTFTP for the initial boot, if you have such a setup. MTFTP server setup is beyond the scope of this document. " I am curious as to the possibility of 'mtftp for the

Being rather aggrevated when testing at the enforced 1 second delay between each connection attempt and the useless 1 second delay done after all connection attempts have failed I wrote a patch to make the number of seconds delayed between each connection attempt configurable. Stephen -------------- next part -------------- diff -u --recursive openssh-2.3.0p1/ChangeLog

We see absolutely dismal performance from Canberra to Perth via Aarnet or Grangenet (gig connections across the country). With standard rsync on a tuned tcp stack, we see about 700k/s. I started playing with the --sockopts and have increased the performance to 1.4M/s which is better, but still way off the pace. There are similar patches for ssh at

https://bugzilla.mindrot.org/show_bug.cgi?id=1604 Bert Wesarg <Bert.Wesarg at googlemail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Bert.Wesarg at googlemail.com --- Comment #11 from Bert Wesarg <Bert.Wesarg at googlemail.com> ---

Ah, with an internal block size [Is that what one calls it?] of 64 bytes. From: Damien Miller <djm at mindrot.org> Sent: Wednesday, March 29, 2023 3:08 PM To: Robinson, Herbie <Herbie.Robinson at stratus.com> Cc: Chris Rapier <rapier at psc.edu>; Christian Weisgerber <naddy at mips.inka.de>; openssh-unix-dev at mindrot.org Subject: RE: [EXTERNAL] Re: ChaCha20 Rekey

On my test systems: Ubuntu 22.04 with GCC 11.4 and OpenSSL 3.0.2 on AMD: PASS Fedora 39 with GCC 12.3.1 and OpenSSL 3.0.9 on Intel: PASS OS X 14.3.1 with clang 15.0.0 on Apple M2 (--without-openssl): FAIL The failure is with "make tests" specifically when it runs /Users/rapier/openssh-portable/ssh-keygen -if /Users/rapier/openssh-portable/regress/rsa_ssh2.prv | diff -

Attached is a patch which adds a ConnectionTimeout option, and corrects the ConnectionAttempts documentation. Previously, ssh would try to make a connection ConnectionAttempts times, sleeping 1 second between tries. But each connection attempt could take a very long time to fail if the packets die before the get to the host. So if ssh is being run in a script or what-have-you, it might be

On multiple core systems OpenSSH is limited to using a single core for all operations. On these systems this can result in a transfer being processor bound even though additional CPU resources exist. In order to open up this bottleneck we've developed a multi-threaded version of the AES-CTR cipher. Unlike CBC mode, since there is no dependency between cipher blocks in CTR mode we

On Thu, 7 Nov 2024 at 07:55, Chris Rapier <rapier at psc.edu> wrote: >[...]I had been using > Blake2b512 for the hashing algorithm but I want to put in a path to use > xxhash instead. Maintaining backward compatibility means I need to know > something about the remote. In the case of sftp at least, that sounds like a function of the sftp-server not sshd, in which case could you

On Fri, 8 Nov 2024 at 03:16, Darren Tucker <dtucker at dtucker.net> wrote: > > On Thu, 7 Nov 2024 at 07:55, Chris Rapier <rapier at psc.edu> wrote: > >[...]I had been using > > Blake2b512 for the hashing algorithm but I want to put in a path to use > > xxhash instead. Maintaining backward compatibility means I need to know > > something about the remote.

Hi, I'm not a subscriber to this list so please CC: me in any replies. I found myself in a situation where I was behind a corporate firewall that allowed only web requests to the outside world (and furthermore those requests had to be via their proxy server). Therefore, I couldn't SSH to the outside world. However, the HTTP proxy 'CONNECT' method, which is normally used to

That's true for block ciphers, but ChaCha20+poly1305 is a stream cipher. On Wed, 29 Mar 2023, Robinson, Herbie wrote: > > I?m hardly an expert on this, but if I remember correctly, the rekey rate > for good security is mostly dependent on the cipher block size.? I left my > reference books at home; so, I can?t come up with a reference for you, but I > would take Chris?

On Thu, Feb 8, 2024 at 1:18?PM Chris Rapier <rapier at psc.edu> wrote: > > I know that there are some methods to use federated identities (e.g. > OAuth2) with SSH authentication but, from what I've seen, they largely > seem clunky and require users to interact with web browsers to get one > time tokens. Which is sort of acceptable for occasional logins but > doesn't

I'm hardly an expert on this, but if I remember correctly, the rekey rate for good security is mostly dependent on the cipher block size. I left my reference books at home; so, I can't come up with a reference for you, but I would take Chris' "I'm deeply unsure of what impact that would have on the security of the cipher" comment seriously and switch to a cipher with a

On Thu, Aug 3, 2023 at 2:35?PM Chris Rapier <rapier at psc.edu> wrote: > > Howdy all, > > So, one night over beers I was telling a friend how you could use the > timing between key presses on a type writer to extract information. > Basically, you make some assumptions about the person typing (touch > typing at so many words per second and then fuzzing the parameters

Here is a quick patch against openssh-2.5.1p1 to add a new config option (pkalg) for the ssh client allowing the selection of which public keys are obtained/verified. --cut-here- diff -c3 -r orig/openssh-2.5.1p1/key.c openssh-2.5.1p1/key.c *** orig/openssh-2.5.1p1/key.c Mon Feb 5 18:16:28 2001 --- openssh-2.5.1p1/key.c Sun Mar 11 23:10:10 2001 *************** *** 534,539 **** --- 534,567 ----

Practically speaking, most popular IAM and SSO solutions offer OIDC SAML tokens but do not offer Kerberos tickets.? OpenID Connect is a standard which itself is based on RFC6749 (OAuth2). This provides a compelling reason to support it in addition to Kerberos.? I'll also note that OIDC tokens are easy to validate without a bidirectional trust relationship between the IdP and RP. SSH

Hi, Here is a patch for release 1.2.2 that allows the use of '=' instead of whitespace when specifying options. For options on the commandline, it can be useful to be able to avoid whitespace in some situations. best regards and thanks for the patch regarding segfaulting with PAM, Stefan ------------------------------------------------------------------- Email: Stefan.Heinrichs at