Displaying 20 results from an estimated 1000 matches similar to: "key rotation on ssh servers"
2015 May 21
8
Weak DH primes and openssh
Hi,
You will be aware of https://weakdh.org/ by now, I presume; the
take-home seems to be that 1024-bit DH primes might well be too weak.
I'm wondering what (if anything!) you propose to do about this issue,
and what Debian might do for our users?
openssh already prefers ECDH, which must reduce the impact somewhat,
although the main Windows client (PuTTY) doesn't support ECDH yet. But
2020 Oct 02
4
[Bug 3219] New: Can't connect to a server that is using several host keys of the same type
https://bugzilla.mindrot.org/show_bug.cgi?id=3219
Bug ID: 3219
Summary: Can't connect to a server that is using several host
keys of the same type
Product: Portable OpenSSH
Version: 8.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
2012 Nov 21
1
HostKey in hardware?
Hi,
Is there any way to store HostKey in hardware (and delegate the related
processing)?
I have been using Roumen Petrov's x509 patch for clients, which works via an
OpenSSL engine, but it does not seem to support server HostKey:
http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html
For PKCS#11, I have found an email on this list from a year back suggesting
this
2017 Feb 04
4
Greeter openssh 7.4 is not according rfc4253.
Hi,
I discovered when using my fuse fs for connecting to a remote host
using sftp that the new
server version 7.4 sends a greeter which is not according the format desribed in
https://tools.ietf.org/html/rfc4253#section-4
There is written that the greeter "MUST be terminated by a single
Carriage Return (CR) and a single Line Feed (LF) character (ASCII 13
and 10, respectively)."
Now
2014 Mar 06
1
Encryption
Am I correct in assuming that the user and host public/private keys used
in openSSH are only used for authentication (is the remote server known to
be X, is this Harry trying to login), and have no role in the encryption?
I was under the assumption that each connection used a newly generated
key (using DH for key exchange) so each session was unique.
(I believe this because the transport layer
2023 Nov 10
1
Question about stderr output containing carriage return External
Hi all,
I have recently only discovered that openssh prints lines to stderr
separated by CLRF pairs, and am trying to understand where this
behavior comes from.
This behavior can be seen here:
--snip--
$ ssh u at u 2>&1 | sed -n l
ssh: Could not resolve hostname u: Name or service not known\r$
--snip--
I have seen section 11.3 from rfc4253, but am unsure whether that is
the origin of
2013 Jun 25
1
RFC: encrypted hostkeys patch
Hi,
About a year and a half ago I brought up the topic of encrypted hostkeys
and posted a patch
(http://marc.info/?l=openssh-unix-dev&m=132774431906364&w=2), and while the
general reaction seemed receptive to the idea, a few problems were pointed
out with the implementation (UI issues, ssh-keysign breakage).
I've finally had some spare time in which to get back to this, and I've
2011 Jan 26
1
Packets Sizes and Information Leakage
This message is a few years old so I cannot reply to the original, but
it is still of current research interest.
> So one of my coworkers is doing a little research on SSH usage in the
> wild using netflow data. One of the things he's trying to do is
> determine a way to differentiate between data transfers and interactive
> sessions. We thought of a couple of ways but we wanted
2013 Apr 19
0
OpenSSH_6.1p1 sends a SSH packet bigger than 32K
The full SSH_MSG_CHANNEL_DATA packet looks like this:
uint32 packet length
byte SSH_MSG_CHANNEL_DATA
uint32 recipient channel
uint32 nr data bytes
byte[] data
OpenSSH_6.1p1 considers that the 'maximum packet size' from SSH_MSG_CHANNEL_OPEN or SSH_MSG_CHANNEL_OPEN_CONFIRMATION impacts only the 'byte[] data' field and not the entire message (headers included).
2024 Feb 05
0
Server-side algorithms selection
Hi,
according to RFC 4253
https://www.rfc-editor.org/rfc/rfc4253#section-7.1
for the selection of algorithms (ciphers, KEX, MAC etc.), the leftmost
matching client algorithm is picked.
While this is fine in most cases, there are cases where it is not
desirable, for example:
1) for compatibility with a single old client you enable an old cipher,
say aes128-cbc, server side. A modern client
2015 Feb 20
3
SUCCESS: OpenSSH_6.7p1-snap20150220
Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit.
Really appreciate the UpdateHostkeys feature!
One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys.
Looks like the screen output is missing the CR's, and only LF's get presented.
[root at be2 .ssh]# ssh be1 ls -l
Warning: Permanently added
2018 Apr 18
3
[PATCH] configure.ac/cipher.c: Check for OpenSSL with EVP_des_ede3_cbc
While compiling openssl with option `no-des', it caused the openssh
build failure
...
cipher.c:85:41: error: 'EVP_des_ede3_cbc' undeclared here (not in a function);
...
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
cipher.c | 2 ++
configure.ac | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/cipher.c b/cipher.c
index
2002 Jan 31
7
x509 for hostkeys.
This (very quick) patch allows you to connect with the commercial
ssh.com windows client and use x509 certs for hostkeys. You have
to import your CA cert (ca.crt) in the windows client and certify
your hostkey:
$ cat << 'EOF' > x509v3.cnf
CERTPATHLEN = 1
CERTUSAGE = digitalSignature,keyCertSign
CERTIP = 0.0.0.0
[x509v3_CA]
2024 Jan 11
0
Announce: timeline to remove DSA support in OpenSSH
Hi,
OpenSSH plans to remove support for DSA keys in the near future. This
message describes our rationale, process and proposed timeline.
Rationale
---------
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is <=80 bits symmetric equivalent[1][2].
OpenSSH has disabled DSA keys by
2024 Jan 11
0
Announce: timeline to remove DSA support in OpenSSH
Hi,
OpenSSH plans to remove support for DSA keys in the near future. This
message describes our rationale, process and proposed timeline.
Rationale
---------
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is <=80 bits symmetric equivalent[1][2].
OpenSSH has disabled DSA keys by
2019 Oct 21
2
Multiple Signatures on SSH-Hostkeys
Hello, OpenSSH-wizards.
In our company, we have looked into SSH-HostKey-signing in order to
realize automated access without the need to accept the server's
hostkey, manually.
I got it to work with the HostCertificate-directive inside the
sshd_config.
Now, I was wondering whether it is possible to have multiple
signatures, so I can, for example, sign the hostkey once with a
2013 Nov 02
2
[PATCH] curve25519-sha256@libssh.org key exchange proposal
Am 02.11.2013 um 11:38 schrieb Aris Adamantiadis <aris at 0xbadc0de.be>:
> RFC4251 describes mpint to be multi-size and with positive values having
> MSB clear, so it's clearly incompatible with raw string.
>
> Since you both agreed on the curve25519 implementation to use, I'll work
> today on Markus' patch to make the changes Damien wanted.
What do you want to
2020 Apr 26
5
[Bug 3155] New: openssh support hostkey encrypt
https://bugzilla.mindrot.org/show_bug.cgi?id=3155
Bug ID: 3155
Summary: openssh support hostkey encrypt
Product: Portable OpenSSH
Version: 8.2p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
2009 Oct 01
3
[Bug 1657] New: Server Authentication when both RSA and DSA are enabled (on the server)
https://bugzilla.mindrot.org/show_bug.cgi?id=1657
Summary: Server Authentication when both RSA and DSA are
enabled (on the server)
Product: Portable OpenSSH
Version: 5.2p1
Platform: All
OS/Version: All
Status: NEW
Severity: trivial
Priority: P2
Component: ssh
AssignedTo:
2012 Dec 27
3
[PATCH] hostfile: list known names (if any) for new hostkeys
When connecting to a host for which there's no known hostkey, check if the
relevant key has been accepted for other hostnames. This is useful when
connecting to a host with a dymamic IP address or multiple names.
---
auth.c | 4 ++--
hostfile.c | 42 ++++++++++++++++++++++++++++--------------
hostfile.h | 8 ++++++--
sshconnect.c | 39 +++++++++++++++++++++++++++++++++------