similar to: Encryption

Hi, You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be that 1024-bit DH primes might well be too weak. I'm wondering what (if anything!) you propose to do about this issue, and what Debian might do for our users? openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But

hi OpenSSH folks-- I have several OpenSSH sshd servers that i've maintained for a long time. Some of them have keys that are considered short by today's standards (e.g. 1024-bit RSA keys). On these servers, I would like to be able to do a key rotation such that multiple keys are valid during a time window so that users can learn the new key before i remove the old one. I don't

It should be compatible with the original patch. However I think that the shared secret should be encoded as a string, too. What does libssh do? > Am 02.11.2013 um 05:46 schrieb Damien Miller <djm at mindrot.org>: > >> On Fri, 1 Nov 2013, Markus Friedl wrote: >> >> Here are three versions (patch against openbsd cvs) >> >> 1) repace nacl w/libsodium,

Hi, As stated on the Dovecot documentation, at rest encryption is possible [1]. However, these keys are present on the system itself and are unprotected. Therefore, if a system is compromised, the attacker has access to the encrypted mail and the keys. There is no security benefit in that situation, except for hoping that the attacker doesn't understand that this is happening and how.

https://bugzilla.mindrot.org/show_bug.cgi?id=2209 Bug ID: 2209 Summary: Problem logging into Cisco devices under 6.5p1 (kexgexc.c) Product: Portable OpenSSH Version: 6.5p1 Hardware: amd64 OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh

Hi, In a recent security review some systems I manage were flagged due to supporting "weak" ciphers, specifically the ones listed below. So first question is are people generally modifying the list of ciphers supported by the ssh client and sshd? On CentOS 6 currently it looks like if I remove all the ciphers they are concerned about then I am left with Ciphers

I can think of several potential differences. ?You may miss any bridge specific traffic (STP, LLDP) using the interfaces generated by the bridge itself. If you have vlan tagged sub interfaces you might also miss that traffic if you were snooping a particular interface. Obviously you will miss any on-wire broadcast traffic specific to the layer1 connection a particular interface was connected to

Hi, I discovered when using my fuse fs for connecting to a remote host using sftp that the new server version 7.4 sends a greeter which is not according the format desribed in https://tools.ietf.org/html/rfc4253#section-4 There is written that the greeter "MUST be terminated by a single Carriage Return (CR) and a single Line Feed (LF) character (ASCII 13 and 10, respectively)." Now

Hi all, I have recently only discovered that openssh prints lines to stderr separated by CLRF pairs, and am trying to understand where this behavior comes from. This behavior can be seen here: --snip-- $ ssh u at u 2>&1 | sed -n l ssh: Could not resolve hostname u: Name or service not known\r$ --snip-- I have seen section 11.3 from rfc4253, but am unsure whether that is the origin of

Hi all Assume that you have a linux bridge with two interfaces eth0 and eth1 enslaved to this bridge What is the difference between sniffing the bridge and sniffing its interfaces? tcpdump -i br0 vs tcpdump -i eth0 Thanks MiniME -------------- next part -------------- An HTML attachment was scrubbed... URL:

On 26/05/15 15.50, Daniel Kahn Gillmor wrote: > The argument that the DNS lookup leaks this metadata is a bad argument: > if we followed this line of reasoning, then every problem that has > multiple contributors could never be solved (A says "but my fixing > things is useless if B does nothing", while B says "but my fixing things > is useless if A does nothing"

> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting? weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant > You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be

Hi Gene, Am 05.07.2016 um 12:42 schrieb Gene Cumm: > Version 6.03. Is this a distribution build or fresh from the > binary/source archive from kernel.org without any running of 'make'? it's actually a freshly downloaded lpxelinux.0 from kernel.org. I get: $ md5sum lpxelinux.0 d77a175ea1a0a8c05b315d179992e1bd lpxelinux.0 >> nothing more. Sniffing revealed that there are

On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la > > $ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do > > ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix > > done > > , and it mightn't be that much of a niche anymore ... And

This message is a few years old so I cannot reply to the original, but it is still of current research interest. > So one of my coworkers is doing a little research on SSH usage in the > wild using netflow data. One of the things he's trying to do is > determine a way to differentiate between data transfers and interactive > sessions. We thought of a couple of ways but we wanted

How i can classify sip traffic (voip)?? I try dst 5060 udp port, but dont''work. sip sesion use dynamic port. Sniffing packets with windows net-peeker, I see that packets lenghts is always=87 How i can filter, by packet lenght, with u32? Regards Fabian

I know, I know... don't use the non-standard kernels unless you have to... BUT: I have a D-Link N150 USB card. Bus 001 Device 004: ID 0846:9030 NetGear, Inc. WNA1100 Wireless-N 150 [Atheros AR9271] This isn't supported in C5, but it is supported in newer kernels (ath9k_htc). So let's try NDISwrapper: # rpm -i kmod\-ndiswrapper\-1.56\-1.el5.elrepo.i686.rpm

On Fri, Feb 27, 2015 at 12:38:06PM -1000, Dave Burns wrote: > What makes you think NIS is involved? > Is Errno 12 a clue? I tried searching for (do_ypcall: clnt_call: rpc: timed "do_ypcall" is a NIS error message. (Previous NIS was called "yellow pages"; the "yp" in do_ypcall is a reference to that). Maybe you have "hosts: files nis" in

Are there any tools to decode encrypted part of isakmp provided that identities of both peers are known to me and that I am able to observe the whole exchange ? -- Andriy Gapon

Steve, Thanks, makes sense. I just don't see why I have to effectively waste an extra IP address to get my connection established. Boris. On Fri, Jan 23, 2015 at 7:16 PM, Stephen Harris <lists at spuddy.org> wrote: > On Fri, Jan 23, 2015 at 07:10:57PM -0500, Boris Epstein wrote: > > > This makes two of us. I've done everything as you have described and it > >