similar to: FYI: Flush+Reload attack on OpenSSL's ECDSA

Dear OpenSSH devs, I came accross this paper yesterday. http://eprint.iacr.org/2011/232 It states that they were able to recover ECDSA keys from TLS servers by using timing attacks agains OpenSSL's ECDSA implementation. Is that known to be exploitable by OpenSSH ? (In my understanding, it's easy to get a payload signed by ECDSA during the key exchange so my opinion is that it is).

On Wed, 29 Mar 2023, Chris Rapier wrote: > I was wondering if there was something specific to the internal chacha20 > cipher as opposed to OpenSSL implementation. > > I can't just change the block size because it breaks compatibility. I can do > something like as a hack (though it would probably be better to do it with the > compat function): > > if

I'm hardly an expert on this, but if I remember correctly, the rekey rate for good security is mostly dependent on the cipher block size. I left my reference books at home; so, I can't come up with a reference for you, but I would take Chris' "I'm deeply unsure of what impact that would have on the security of the cipher" comment seriously and switch to a cipher with a

On 15.06.2015 21:31, Christian Weisgerber wrote: > On 2015-06-15, Gerhard Wiesinger <lists at wiesinger.com> wrote: > >> I saw that OpenSSH release 6.7 removed all CBC ciphers by default. Is >> CBC therefore considered as broken and unsecure (in general or SSH >> implementation)? > CBC modes in SSH use the last encrypted block of the previous packet > as the IV

That's true for block ciphers, but ChaCha20+poly1305 is a stream cipher. On Wed, 29 Mar 2023, Robinson, Herbie wrote: > > I?m hardly an expert on this, but if I remember correctly, the rekey rate > for good security is mostly dependent on the cipher block size.? I left my > reference books at home; so, I can?t come up with a reference for you, but I > would take Chris?

Hello, I saw that OpenSSH release 6.7 removed all CBC ciphers by default. Is CBC therefore considered as broken and unsecure (in general or SSH implementation)? I also read a lot of references (see below) but still not clear to me what's the actual "security status" of CBC and why it has been removed in general. http://www.openssh.com/txt/release-6.7 sshd(8): The default set

Ah, with an internal block size [Is that what one calls it?] of 64 bytes. From: Damien Miller <djm at mindrot.org> Sent: Wednesday, March 29, 2023 3:08 PM To: Robinson, Herbie <Herbie.Robinson at stratus.com> Cc: Chris Rapier <rapier at psc.edu>; Christian Weisgerber <naddy at mips.inka.de>; openssh-unix-dev at mindrot.org Subject: RE: [EXTERNAL] Re: ChaCha20 Rekey

Hi. Last night on an irc openssh channel, a user brought up a use case involving cluster trees and very descriptive (i.e. long) hierarchical hostnames. To make a long story short, his ControlPath (~/.ssh/control-master /%r@%h:%p) was bumping up against UNIX_PATH_MAX. Attached patch adds a new percent-token (%H) that expands to the sha1 digest of the concatenation of host (%h) + port (%p) +

Hey, Are there any plans in applying the changes suggested in "Provably Fixing the SSH Binary Packet Protocol" by Mihir Bellare, Tadayoshi Kohno and Chanathip Namprempre. http://eprint.iacr.org/2002/078/ I guess this would require a new protocol specification and maybe the task of the IETF Secure Shell Working Group. Dries -- Dries Schellekens email: gwyllion at ulyssis.org

Hello, On Sat, Dec 30, 2017 at 12:16 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net > wrote: > On Thu 2017-12-28 21:31:28 -0800, Dan Mahoney (Gushi) wrote: > > > > Perhaps if you're dead-set on this being so dangerous, > > It's not the developers who are dead-set on weak-keyed RSA being > insecure, it's the cryptanalysts who have shown that to be the

I was wondering if there was something specific to the internal chacha20 cipher as opposed to OpenSSL implementation. I can't just change the block size because it breaks compatibility. I can do something like as a hack (though it would probably be better to do it with the compat function): if (strstr(enc->name, "chacha")) *max_blocks = (u_int64_t)1 << (16*2);

Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins,

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:06.openssl Security Advisory The FreeBSD Project Topic: OpenSSL timing-based SSL/TLS attack Category: crypto Module: openssl Announced:

Hello. Subramanian Moonesamy has gotten the ball rolling to include Ed25519 in IANA's registry for SSHFP key types [1]. I've opened a bug report [2] that includes a patch that adds the needed support code and provisionally assigns Ed25519 a value of 4 (values 1,2,3 reserved for RSA, DSA, and ECDA, respectively) [3]. The enhancement request/bug is meant to keep the issue on the radar.

OpenSSH 8.3 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested

How 'bout PAM? /usr/ports/security/pam_ldap. If you have machines that can't do PAM, perhaps NIS is the way to go (assuming, of course, you're behind a firewall). You can store login information in LDAP like you want, then use a home-grown script to extract the information to a NIS map. Or, if you have a Solaris 8 machine lying around, you can cut out the middle step and use

On Mon, Mar 31, 2014 at 08:40:26AM -0700, no_spam_98 at yahoo.com wrote: > OpenSSH uses its own CTR mode implementation, correct? ?I seem to > recall some discussion about why it hasn't/won't switch over to using > OpenSSL's implementation, but I can't find the thread anymore. > > So... why doesn't OpenSSH use OpenSSL's CTR mode implementation? I believe as

https://bugzilla.mindrot.org/show_bug.cgi?id=2223 Bug ID: 2223 Summary: Ed25519 support in SSHFP DNS resource records Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

OpenSSH 8.4 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested

On 23 April 2014 21:43, mancha <mancha1 at zoho.com> wrote: > On Wed, Apr 23, 2014 at 12:26:58PM -0700, Iain Morgan wrote: >> A slightly better solution would be a PAM module that uses the same >> syntax as libwrap. Possibly someone has already written such a module. > > Possibly, but only for platforms which use for PAM. Pam is executed so late in the chain that any