similar to: new related project nutdown: https://github.com/arwarw/nutdown

On Dec 6, 2013, at 8:21 AM, Alexander Wuerstlein wrote: > I'd like to announce "nutdown", a nut client written using perl > UPS::Nut. Thanks for posting this. One thing that I would consider changing is to treat "ups.status" as a set (splitting on whitespace, if any), and to not rely on the order of the status flags. Actually, splitting ups.status into an array

Hi Alexander Wuerstlein Thank for the information. Now I agree that it's better to save the socket in /tmp/ I checked the source code and found that it is hard-coded. /* Allocate a buffer for the socket name, and format the name. */ auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX"); It would be nice if openssh provides an option to overwrite this default. Regards Tran

How about using the existing OpenSSH client's PKCS#11 support to isolate keying material in a dedicated process? A similar approach, "Practical key privilege separation using Caml Crush", was discussed at FOSDEM'15 with a focus on Heatbleed [1][2] but the ideas and principles are the same. Now this is easily done using the following available components: - SoftHSM to store

On Sat, Nov 26, 2016 at 1:16 AM, Alexander Wuerstlein <arw at cs.fau.de> wrote: [...] > Afaik its because DSA key size has (for very weird reasons admittedly: > FIPS 186-4) been limited to 1024 bits which is considered weak nowadays. Use of DSA within the SSH protocol requires the use of SHA1, which is 160 bits (80 bits against a birthday attack) and is reaching its use-by date. This

Hello, at my universities CS computer pools we're trying to migrate our samba3 based NT domain to AD with samba4-rc1. In the past we had a little script which our users could run on their own from their linux account which created a samba user with their own uid/gid and set their password (via smbpasswd). We're trying to recreate this behaviour with "samba-tool user create"

On 2018-08-21T06:21, Stef Bon <stefbon at gmail.com> wrote: > Op di 21 aug. 2018 om 06:04 schreef Stef Bon <stefbon at gmail.com>: > > > > Hi, > > > > I'm looking for a procedure (on paper first) to provide users on hosts > > session keys to login to servers providing services like file, print > > or even access to internet or a sql db. >

Hello, in light of the recent CVE-2016-0777, I came up with the following idea, that would have lessened its impact. Feel free to ignore or flame me, maybe its stupid or I missed something :) - private key material should only ever be handled in a separate process from the SSH client. ssh-agent (maybe slightly extended) seems the logical choice. - in places where the client currently reads

Hello, When trying out (g)pxelinux using TFTP URLs and the '<host>::<path>' syntax, pxelinux seemed to "hang". Some printf debugging and tcpdump revealed that it looped in the timeout after sending the TFTP RRQ. Further investigation revealed, that if a plain IP address (e.g. "tftp://12.34.56.78/something") is used, the byte order is not converted from host

Hi, Someone told me that DSA keys were being deprecated with OpenSSH 7.0. The only reference I could find about this topic on openSSH site is on the legacy page: ?OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use.? There is no explanation about the weakness. But more than that, I could not find any mention

Le 12/05/2017 ? 12:47, Alexander Wuerstlein a ?crit : > On 2017-05-12T12:07, mh at ow2.org <mh at ow2.org> wrote: >> I'm using 7.2p2-4ubuntu2.1 >> >> I have the same exact problem as described in the first comment in >> https://bugzilla.mindrot.org/show_bug.cgi?id=1573 >> >> Initially, my ldap server hostname and IP is only in /etc/hosts, not in

On 2017-05-18T13:13, mh at ow2.org <mh at ow2.org> wrote: > Le 18/05/2017 ? 12:17, mh at ow2.org a ?crit : > > However, I get uid/gid numbers instead of names within sftp session (ls > > -l) ? I don't know if it's new but I would definitively prefer names... > > It seems the reason is : > > open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES

Hello, this may be a stupid question, but I'll ask anyways because I was unable to get a satisfying answer somwhere else. So feel free to simply point out my stupidity, if the problem lies only there. The question: If I start an ssh-agent, it creates a socket (/tmp/ssh-*/agent.*), with the socket's and the directory's permissions set to 600. However, if I now connect to a remote

Le 12/05/2017 ? 14:03, Alexander Wuerstlein a ?crit : > On 2017-05-12T13:49, mh at ow2.org <mh at ow2.org> wrote: >> Le 12/05/2017 ? 12:47, Alexander Wuerstlein a ?crit : >>> On 2017-05-12T12:07, mh at ow2.org <mh at ow2.org> wrote: >>>> I'm using 7.2p2-4ubuntu2.1 >>>> >>>> I have the same exact problem as described in the first

On 2018-04-04T17:27, mlrx <openssh-unix-dev at 18informatique.com> wrote: > Le 04/04/2018 ? 13:32, Jan Bergner a ?crit?: > > Good day! > > > > Is it possible to achieve this without nasty workarounds like wrapper > > scripts monitoring the very-verbose output of SSH or doing DPI? > > Alternatively, would it be possible to add a config option, allowing an

On Apr 4 13:58, Nico Kadel-Garcia wrote: > On Wed, Apr 4, 2018 at 11:43 AM, Alexander Wuerstlein > <snalwuer at cip.informatik.uni-erlangen.de> wrote: > > On 2018-04-04T17:27, mlrx <openssh-unix-dev at 18informatique.com> wrote: > >> Le 04/04/2018 ? 13:32, Jan Bergner a ?crit : > >> > Good day! > >> > > >> > Is it possible to

The idea behind this change is to add support for different "ssh-agents" being able to run at the same time. It does not change the current behaviour of the ssh-agent (which will set SSH_AUTH_SOCK just for itself). Neither does it change the behaviour of SSH_AGENT_PID (which still supports only one pid). The new implementation will go through the list of sockets (which are separated by a

On Thu, Apr 5, 2018 at 7:13 AM, Jan Bergner <jan.bergner at indurad.com> wrote: > Hello all. > > First of all, I want to extend my sincere thanks to all the people who > came to the rescue so quickly. > > In any case, there is obviously room for clarification on my part, so I > will try to describe the situation we had in more detail. > > In short: > Employees

I'm using 7.2p2-4ubuntu2.1 I have the same exact problem as described in the first comment in https://bugzilla.mindrot.org/show_bug.cgi?id=1573 Initially, my ldap server hostname and IP is only in /etc/hosts, not in the configured resolver. I can't use the real IP as a workaround in ldap.conf because of the TLS configuration which cares about the hostname. At the time I add the host

Hi, I'm looking for a procedure (on paper first) to provide users on hosts session keys to login to servers providing services like file, print or even access to internet or a sql db. The first step is that user has to authenticate on the local host via password. Paswword and usernames are centrally managed via ldap (or simular). The second step is that the user on host logs in to the CA

Am 05.04.2018 um 14:11 schrieb Alexander Wuerstlein: > On 2018-04-05T14:07, Nico Kadel-Garcia <nkadel at gmail.com> wrote: >> How difficult would it be to leave a scheduled security check to >> look for "ssh[ \t].*-R.*" expressions with "pgrep", and file a >> security abuse report if such processes are seen? It could be >> worked around, but