similar to: AuthorizedKeysCommand question

Hi there, (context: I was optimizing Roundcube mailbox list server response, and in that 300-400ms response time, around 170ms is spent on single fgets() call which is waiting IMAP repsonse to "SELECT MyMailbox" command) I straced dovecot and of the whole request/response process, around 30ms is spent for everything else, and overwhelming majority of time (150-170ms) is spent for

On Sun, Aug 30, 2015 at 6:57 AM, Bostjan Skufca <bostjan at a2o.si> wrote: > Nico, > > those were my thoughts, exacly, except that I was thinking about using "dig > +short HOST | ..." which has the cleanest output of all. Excellent point. I like it! It can get a bit confusing with round-robin DNS, which can give multiple responses. > But there is that initial

If I want to specify for LAN addresses that I don't want to deal with host keys, how do I do that? Understanding the risks, knowing almost everyone will say not to do this - it's a horrible idea, but deciding I want to do it anyway. Tired of having to remove entries from known_hosts with the multiple VM's I have that often change fingerprints, and am willing to live with the risks.

Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins,

On Thu, 27 Aug 2015, Bostjan Skufca wrote: > Are you connecting by specifying "ssh HOSTNAME" instead of "ssh IP.IP.IP.IP"? > > If this is the case, then "Host 192.168.*.*" line never matches when > you think it should. > > From ssh_config manpage: > "The host is the hostname argument given on the command line (i.e. the > name is not

I read an article today about keyboard interactive auth allowing bruteforcing. I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

I'm running into issues with AuthorizedKeysCommand when the sum of the size of the public keys become bigger than ~ 12 KB. I created a bash script that runs #!/bin/bash curl -s --compressed http://someurl.example.com/pubkeys/$1 and am getting "error: returned status 23". CURLE_WRITE_ERROR (23): An error occurred when writing received data to a local file, or an error

On Fri, Aug 28, 2015 at 8:48 AM, Bostjan Skufca <bostjan at a2o.si> wrote: > On 27 August 2015 at 05:01, Damien Miller <djm at mindrot.org> wrote: >> Yeah, it's unfortunately quite difficult to implement address matching >> in ~/.ssh/config because of the interplay of Host matching, Hostname >> directives, hostname canonicalisation*, proxy commands, hosts

On Mon, 4 Jan 2016, Peter Stuge wrote: > Hi Kaleb, > > Kaleb Himes wrote: > > OpenSSH port Location: https://github.com/kaleb-himes/openssh-portable.git > > I'm afraid this repository is too messy to be useful. :\ > > You need to use the features offered by git to preserve commit ids if > anyone else besides yourself is going to be able to work with this, >

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 12 Apr 2016, Bostjan Skufca wrote: > On 12 April 2016 at 10:23, A.L.E.C <alec at alec.pl> wrote: > >> I don't know dovecot's code, but I suppose it uses uidlist file to get >> mailbox statistics that it returns as EXISTS, RECENT, UNSEEN, UIDNEXT, >> UIDVALIDITY, etc, which are required by IMAP standard. I

Hi all, authentication forwarding depends much on the environment it is used in, but generally on shared hosts it is considered insecure, as this documentation and common sense tell us: http://unixwiz.net/techtips/ssh-agent-forwarding.html Anyway, I have an auth forwarding security enhancement proposal. I hope I am not duplicating someone else's words/thoughts, please notify me if this is

On Fri, Aug 28, 2015 at 11:51 PM, Walter Carlson <wlcrls47 at gmail.com> wrote: > On Thu, Aug 27, 2015 at 12:26 AM, Walter Carlson <wlcrls47 at gmail.com> wrote: > >> Perfect, thanks. This winds up working for me (as far as I've tested so >> far.) >> >> Match exec "ping -q -c 1 -t 1 %n | grep '192\.168\.'" >>

Hello, I haven't found anything useful googling around so I decided to ask here. I have a Linux server running Samba on 100Mbit/s ethernet. If I connect to it using WinXP, mount some share and download files from it it reaches about 9MB/s transfer rate. Using FTP gives even higher transfer rates. BUT when I use linux to connect to (linux!) server, mount shares and download files then

Hello everyone, I would like to ask you for advice on how to approach (or solve) this particular problem. I use Slackware Linux and compile Openssh from source. I prefer to compile it statically so it doesn't get messed up if I update openssl libraries. Up until now this approach was working OK for me. Lately I have been challenged with Slackware64 installations and I have come across a

Hello everybody! This is probably going to be a classic question but I cannot find a decent answer on net. I have samba server set up and the following things work flawlessly: - iperf shows 92% link utilization - FTP/SCP/HTTP transfers work in 10MB/s range. However, when I mount samba share with linux client (mount.cifs) the link utilization cannot bypass cca 33%. Transfer speeds constantly

On 04/10/2016 10:27 AM, Adrian Minta wrote: > It will be nice if the "SELECT MyMailbox" command will be "SELECT > mymailbox LIMIT 100" or something, to get the first files since only the > last messages are shown to the user. SELECTing a mailbox has nothing to do with FETCHing messages, so above does not make much sense. I don't know dovecot's code, but I

Hi again, puppetd started to hang with 100% CPU usage all of the sudden. Strace just keeps repeating these 2 lines: --- SIGVTALRM (Virtual timer expired) @ 0 (0) --- sigreturn() = ? (mask now []) In logs it hangs with this message: debug: Calling fileserver.describe But lots of these fileserver.describe calls prior to hang are successful. If I run it with puppetd

Hi, I have a setup in which I run sshd as unprivileged user at dedicated port to serve specific application. It is working perfectly! One tweak I had to do, since the AuthorizedKeysCommand feature requires file to be owned by root, I had to use root owned command at root owned directory, although it does not add a security value. At auth2-pubkey.c::user_key_command_allowed2(), we have the

Hi all, few days ago mongrel start crashing on one of my sites, i upgraded to latest version (1.0.1) but problem still exists. When i try to load page in browser random elements are missing or page is blank (empty html). In mongrel.log i''m getting: Mon Oct 22 01:10:47 +0200 2007: ERROR: stream closed Mon Oct 22 01:10:47 +0200 2007: ERROR: closed stream Mon Oct 22 01:10:47 +0200 2007:

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud