similar to: sshd key comment logging

Hi, Are there any open source tools to keep track of ssh sessions? For example, if a specific user is ssh logging to remote server and what commands or scripts are being run. Basically, i need to log all users sessions. Thanks in Advance and i look forward to hearing from you. Best Regards, Kaushal

On 09/22/2017 03:22 PM, Daniel Kahn Gillmor wrote: > On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote: >> I gotta say... having a fallback mechanism here seems pretty >> strange. The entire point of the group exchange is to use a dynamic >> group and not a static one. > > fwiw, i think dynamic groups for DHE key exchange is intrinsically > problematic

Hi Kaushal, I maintain a set of SSH hardening guides for various platforms, including RHEL 8. You can find them here: https://ssh-audit.com/hardening_guides.html - Joe -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security On Thu, 2024-01-25 at 18:39 +0530, Kaushal Shriyan wrote: > Hi, > > I am running the below servers on Red Hat Enterprise

Hi, As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" or "ecdsa-sk" for short (the "sk" stands for "security key"). If you're not familiar with U2F, this is an open standard for making inexpensive hardware security tokens. These are easily the cheapest way

On 09/22/2017 06:55 PM, Tim Broberg wrote: > Do I understand correctly, that you find the security of group 14 unacceptable and yet you left it enabled? In the end, I'm trying to ensure a minimum equivalent of 128-bits of security. Group14 is 2048-bits, which roughly translates to 112-bits. [1] To this end, I disabled the "diffie-hellman-group14-sha1" and

I've had a patch on the bugzilla for a while related to U2F with support for a few additional settings such as providing a path to a specific key to use instead of the first one found and setting if user presence is required when using the key. Is there any objection to folding those parts in if appropriate? Joseph, to offer comment on NIST P-256. There was originally quite a limited subset

On 09/24/2017 12:21 AM, Mark D. Baushke wrote: > I suggest you upgrade to a more recent edition of the OpenSSH software. > The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released > very soon. This problem is in v7.5 and v7.6. See dh.c:436. > OpenSSH 6.6 was first released on October 6, 2014. I brought up v6.6 to give an example that older clients wouldn't be

A few days ago, I published an article analyzing the susceptibility of the DHEat denial-of-service vulnerability against default OpenSSH settings in cloud environments. I thought those on this list might be interested: https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/ A short summary: the default MaxStartup setting is fully ineffective

On 09/13/2018 08:18 PM, Damien Miller wrote: > We have any plans to add more crypto options to OpenSSH without a strong > justification, and I don't see one for X448-SHA512 ATM. What I like about it is that it offers ~224 bit security level, whereas X25519 offers ~128 bits (according to RFC7748). Hence, pairing X448 with AES256 would provide a full chain of security in the ~224 bit

Hi all, I'm interested in having X448 protocol available as an option, as it gives a larger security margin over X25519. For anyone unfamiliar, it is an Diffie-Hellman elliptic curve key exchange using Curve448 (defined in RFC7748: https://tools.ietf.org/html/rfc7748). Furthermore, it is included in the new TLS 1.3 specification (RFC8846: https://tools.ietf.org/html/rfc8446).

What I'm hearing in this thread is: "a minority of people on planet Earth have a problem with the open-source implementation of ED25519, but instead of letting that minority choose to re-implement it when/if they want to, the rest of the community needs to stall their progress in improving security." And isn't the ED25519 code is already there on their machine? So isn't

Hi all, Back in September 2018, I started a thread about implementing the X448 key exchange (see https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-September/037183.html). In February 2020, RFC 8731 (formally specifying X448 in SSH) has been finalized: https://www.ietf.org/rfc/rfc8731.txt. I thought I'd start this conversation up again to see if the interest level has

Hi, I'm setting up Samba with ldap backend and everythin appears to be working correctly except for profiles. Using: samba-3.0.2 openldap-2.1.26 smbldap-tools-0.8.4 When a user 'testa' tries to logon from a Win2K system that has joined the domain he gets the following error message: "Windows did not load your roaming profile and is attempting to log you on with your local

Hi all, I have got 2 function (see bellow) which are simplifications of what I need to do. These functions are precisely the same, except for the last line. My question is, why doesn't function testA work in the same way as function testB. Both functions produce two objects, "a" and "b" that must merged with rbind. The difference is that in testA, I specify the name

Dear R gurus, I'm running into a problem with some modified segment plots I've coded using stars(). What I am trying to do is superimpose two series of data along with radial axes markers in a 2x2 graphics frame. This is working fine now, except for the hitch: my plots overfill the frame and are not centered within it (on my runs they always end up looking like they've been budged

> > On the file serever: > > Collected config --- 2019-07-03-10:27 ----------- > > > > Hostname: srv > > DNS Domain: a.b.hu > > FQDN: srv.a.b.hu > > ipaddress: 10.0.3.15 192.168.0.8 > > ----------- > > Samba is running as a Unix domain member > > ----------- > > > > This computer is running Debian 10.0 x86_64 > >

dear all trivial kind of question for which I do apologize, but it's sort of puzzling in a share when a windows client creates something samba sets it as 755, yet another user can still delete, in this case a folder which part of configuration fixes it so it would behave as expected? what I have by default is: acl check permissions = Yes acl group control = No acl

My production server is using mongrel_rails on Ubuntu linux. With Firefox I can reach my production server with the URL: www.mydomain.com:3000/ but I can''t reach my production server with the URL www.mydomain.com/ Is there a way to configure mongrel so that I can reach my production server with the URL www.mydomain.com? -- Posted via http://www.ruby-forum.com/.

Hi all! I'm newbie, so here goes my situation: I have succefully compiled the cvs version as shown in asterisk website in some linux distros: Debian (2.4.22), Conectiva, Fedora Core 1 and in all of them, * starts and consumes all the cpu (on top). Does anybody know this issue? Thanks! Testa

Hi, during my tests to use Samba4 as a kdc for kerberized NFS, I found a bug in the KDC code, when generating a principal without pac (e.g. with msktutil and option --no-pac), that causes Samba4 to crash: Running the following command on one of the client machines msktutil -c --upn nfs/testa.linex.org -h testa.linex.org --computer-name testa-service-nfs --server s4-dc1.linex.org --no-pac