similar to: defense-in-depth possible for sshd?

My home machine has IP 50.54.225.130. I have (for the purposes of this experiment) one remote machine at www.peacefire.org (69.72.177.140) and another at www.junkwhale.com. When I'm logged in to peacefire, I run this perl script to open an ssh connection to junkwhale and run a command: my $hostname="www.junkwhale.com"; my $server_password = "[redacted!]"; use Net::SFTP;

(Sorry, third time -- last one, promise, just giving it a subject line!) OK, a second machine hosted at the same hosting company has also apparently been hacked. Since 2 of out of 3 machines hosted at that company have now been hacked, but this hasn't happened to any of the other 37 dedicated servers that I've got hosted at other hosting companies (also CentOS, same version or almost),

Hello, there are emerging container services that restrict regular users to launch containers under some random uid for security reasons. If such user needs sshd in their container, they need to turn off `UsePrivilegeSeparation` so that sshd is executed as the current uid and not `root`. I understand that privilege separation [1] is more than changing the process uid. On the other hand, it is

hi there, i have an issue on my newly created Debian/SELinux/unstable system. i have pam 0.77 se1 installed ssh 3.8.1p1-4 (OpenSSH) and libselinux1 1.12-1. i can log in as root, fine. but i cannot log in as an ordinary user, and i had to grant special permission to the _user_ process (NOT sshd or pam before a setuid and exec is carried out) to access /dev/pts/0. in other

Ever since someone told me that one of my servers might have been hacked (not the most recent instance) because I wasn't applying updates as soon as they became available, I've been logging in and running "yum update" religiously once a week until I found out how to set the yum-updatesd service to do the equivalent automatically (once per hour, I think). Since then, I've

There are a couple of niggles with the sandboxing of the unprivileged child in the privsep code: the empty directory causes namespace pollution, and it requires care to ensure that it is set up properly and remains set up properly. The patch below (against the portable OpenSSH, although the patch against the OpenBSD version is very similar) replaces the fixed empty directory with one that is

Hello Darren, Could you comment on this issue being raised by myself and Corinna Vinschen? This will create big problems for me. I'm not clear if this is a conscious decision supported by solid reasons or if it is just collateral damage. Thank you for all you work! Jack DoDDs -------- Original Message -------- Date: Mon, 27 Mar 2017 16:31:03 +0200 Subject: Re: Announce: OpenSSH 7.5

Why can't non-uid 0 users have more than 1024 file descriptors when logging in via ssh? I'm trying to allow a user to have a hard limit of 8192 file descriptors(system defaults to 1024) via the following setting in /etc/security/limits.conf: jdoe hard nofile 8192 But when jdoe logs in via ssh and does 'ulimit -Hn' he gets '1024' as a response. If he tries to

The following is just a simple 'if ANON|SHARE is broken, disable compression'. We don't have time for fancy stuff until we have time for long term testing. I have one friend of mine testing this. Can I get a few other people to test. This is against --current, but maybe work against 3.3p1. Unsure. BTW.. those on NeXT platform (if you have autoreconf) should also test this. this

I just upgraded to OpenSSH3.2.3p1 as it seemed that UsePrivilegeSeparation yes might help with my problem (connections forwarded are owned by root instead of the user I logged in as on the server), but instead, sshd barfs on receiving a connection. Without UsePrivilegeSeparation the server works fine. # strace -o /tmp/sshd.str sshd -d debug1: sshd version OpenSSH_3.2.3p1 debug1: private host

Suppose I have a CentOS 5.7 machine running the default Apache with no extra modules enabled, and with the "yum-updatesd" service running to pull down and install updates as soon as they become available from the repository. (Assume further the password is strong, etc.) On the other hand, suppose that as the admin, I'm not subscribed to any security alert mailing lists which send

http://wiki.centos.org/HowTos/SELinux says: "Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t." however the doc doesn't define what "similar types" means. I assumed it just meant "beginning with the same prefix". However that can't be right because on my system with

Does dovecot have any dictionary attack defenses yet? In the past I have had to implement defense from outside dovecot, but since dovecot is at the front lines and therefore is the first to know I'm hoping by now there is something we can set. For example, a limit on access failures per minut/hour/day or some such. If not why not?

Hi, I have a setup in which I run sshd as unprivileged user at dedicated port to serve specific application. It is working perfectly! One tweak I had to do, since the AuthorizedKeysCommand feature requires file to be owned by root, I had to use root owned command at root owned directory, although it does not add a security value. At auth2-pubkey.c::user_key_command_allowed2(), we have the

Hello there, We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various Solaris boxes with PAM and an LDAP server back end. Recently we have added a requirement for users to have complex passwords. The problem is, if a user's password has expired, when they log in they are prompted for a new password (good) but if they enter a non-complex new password the session is closed rather than

Hello Samba People, I'm doing some tests with samba on a debian Sarge in order to implement a file server with the recycle bin module, so my smb.conf loks like this : [global] workgroup = HOME server string = %h server (Samba %v) preferred master = no realm = home.local security = ADS encrypt passwords = true password server = 192.168.0.15 socket options = TCP_NODELAY #

Hi, there's a change made to 4.4p1, which gave some irritation on the Cygwin mailing list. It's a change from 20060907: - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can be used to drop privilege to; fixes Solaris GSSAPI crash reported by Magnus Abrante; suggestion and feedback dtucker@ NB. this change will require that the privilege separation user must

http://bugs.freedesktop.org/show_bug.cgi?id=15857 Summary: Errors in Desktop Tower Defense (flash game) Product: swfdec Version: git Platform: x86 (IA32) OS/Version: Linux (All) Status: NEW Severity: normal Priority: medium Component: library AssignedTo: swfdec at lists.freedesktop.org

This patch adds a new option to sshd, chroot_users. It has the effect of chroot()ing incoming ssh users to their home directory. Note: this option does not work if UsePrivilegeSeparation is enabled. Patch is based on OpenSSH 3.4p1. *** servconf.h@@\main\1 Tue Oct 1 17:25:32 2002 --- servconf.h Wed Oct 2 06:17:48 2002 *************** *** 131,136 **** --- 131,137 ---- char

I'm trying to troubleshoot gssapi_with_mic authentication with OpenSSH 5.2p1 on FreeBSD 8.0. If I run sshd with maximum debug "sshd -ddd" the most detail I get is: GSSAPI MIC check failed That comes from line 282 in auth2-gss.c 279 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 280 authenticated =