similar to: Minimum python version for xen-4.1.1

As per Alex's suggestion, attached is the proof of concept "sfile" script. If there is anyone out there with great C skills who can recreate this functionality "out of the box", I think there would be a few happy campers (at least two, anyways). -------- Forwarded Message -------- Subject: Re: Encrypt /decrypta file with ssh keys. Date: Fri, 5 Aug 2016 17:24:35

> On 24 Jan 2017, at 06:01, Darren Tucker <dtucker at zip.com.au> wrote: > > On Tue, Jan 24, 2017 at 4:54 PM, Vishwanath KC <vicchi.cit at gmail.com> wrote: > [...] >> Distributor ID: Debian >> Description: Debian GNU/Linux 8.2 (jessie) > > As you've seen, sshd requires that the system's getpwnam() function > knows the user, without which

On Fri, Jan 15, 2016 at 1:07 PM, Alex Bligh <alex at alex.org.uk> wrote: > On 15 Jan 2016, at 11:44, Thomas ? Habets <habets at google.com> wrote: >> On 15 January 2016 at 08:48, Alex Bligh <alex at alex.org.uk> wrote: [snip] > 3. Server compares supplied address/port pair with what it sees > (to detect DNAT like Amazon elastic IPs), and if they are the >

Odd question I know. I am looking for source for as recent a kernel as possible running the old style xenlinux/xenified kernel (i.e. capable of running the xen3.3.x hypervisor). Any ideas where I can get this - preferably in git form? I think Stefano Stabellini had something that worked up to 2.6.36 (from memory). And yes, we would all prefer all our customers moved to xen4 but this is difficult

On 20 Mar 2016, at 19:15, Philip Hands <phil at hands.com> wrote: > Is anyone going to be upset by the resulting blank lines being added by > ssh-copy-id when the file was not missing a terminating newline? Well it would be at least mildly annoying my previously nice looking file now has a pile of blank lines in just because someone didn't know how to use their editor ... --

> On 5 Aug 2016, at 18:09, James Murphy <james.murphy.debian at gmail.com> wrote: > > The more mainstream thing to do is just use gpg, which has this > functionality already built in. Is this not suitable for your use case? The advantage of Colin's approach is that gpg requires out of band exchange of gpg keys separately from ssh keys. If you already have ssh keys

Moving to public discussion... This was found with Xen hypervisor version supporting device unplugging and the domU kernel having net-/blkfront and pci platform built-in (or as module). The block device is defined as hda and the NIC type=ioemu (so theoretically guests without pv support would work, too). Since both drivers are present, the kernel tries to unplug the emulated devices and

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=

Is there a good reason why known_hosts stores the address of the server but not the port? This is annoying when one host is running more than one instance of openssh with different ports and different keys, or (less tractably) when a NAT in front of multiple hosts multiplexes which host is connected to by port number. I see no immediate security implication in fixing this, but am I missing

On Mon, Sep 26, 2016 at 11:43:42AM +0100, Alex Bligh wrote: > > > On 26 Sep 2016, at 10:21, Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net> wrote: > > > > Wow, that was quick! Thank you. > > > > I stumbled upon another problem: Apparently nbd-tester-client and nbdkit > > disagree on what constitutes a valid flush request. > >

I've upgraded from syslinux-4.05 to syslinux-6.03-pre18 (pre11 was the same) and am having some issues getting lua.c32 to work. I'm using lpxelinux.0 if that's relevant. My boot file and the contents of default.lua are below. As you can see they are fantastically simple. Essentially I'm just using lua to put the results of ipappend in the right place on the command line. The

If an ssh server receives a successful inbound ssh connection with 'ssh -w' without a tunnel number specified (i.e. in 'any' mode), it allocates the next tunnel device available on the server. The next thing the server needs to do is to set up the tunnel device. How does the server know which tunnel device was set up by the current connection? I'd really like something

If an ssh server receives a tun/tap tunnel request and sets up the tunnel concerned, as far as I can see there is currently no way for the server to configure the tunnel in a manner dependent upon (e.g) the key used to set up the ssh session. Whilst an id based on the key can be passed to the ssh child process, where the tunnel is dynamically allocated, its tunnel name is lost. This patch

I am thinking of configuring a service where multiple users have their own private keys to do rsync over ssh. I don't want each of these users to have their own UID. I want them each to share a UID, but to have space on the ssh server isolated from any other user. Let us assume that I also wish to prevent them from using any service other than rsync. Is this possible? Is a sensible approach

I have a situation where a number of potentially hostile clients ssh to a host I control, each ssh'ing in as the same user, and each forwarding a remote port back to them. So, the authorized_keys file looks like: no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB....vnRWxcgaK9xXoU= client1234 at example.com

I am seeing a problem with domain renames which I think affects everything running with the upstream qemu xen DM. If I create a domain, and then rename it, it renames in the xenstore, but it does not rename in qemu. This means that (interalia) the name on a VNC connection is incorrect. I am seeing this with a migration (where a libxl_domain_rename is done from "name--incoming" to

On 15 January 2016 at 08:48, Alex Bligh <alex at alex.org.uk> wrote: > > The socket option is enabled *after* connection establishment, thus > > doesn't protect against SYN floods. This is because server doesn't > > know (in userspace) what the address of the peer is until they > > connect. Again because signed addresses. > So could they exchange a secret

Apologies for the newbie question: I have a (stock) 2.4.20 build (*not* -ac), and I'm trying to work with large ext3 directories. By large, I mean 160,000 files per directory. (Yes, I know it would be better in nested directories but such is life). I feel htree would benefit me. Having upgraded from an earlier version of 2.4, I don't see any change, and close reading of the 2.4 changelog

Apologies for the newbie question: I have a (stock) 2.4.20 build (*not* -ac), and I'm trying to work with large ext3 directories. By large, I mean 160,000 files per directory. (Yes, I know it would be better in nested directories but such is life). I feel htree would benefit me. Close reading of the 2.4 changelog suggests that htree isn't in there - only a patch to prevent non-htree

This may be a dumb question, but is there any reason why scp a at b:c d: fails, where scp a at b:c . scp c d: succeeds? I get "Host key verification failed.". I'm using nothing more complex than RSA authorized_hosts based authentication. I'm seeing this on openssh-client 1:5.8p1-1ubuntu3 and OS-X 10.6 OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011. -- Alex Bligh