similar to: Identify multiple users doing reverse port FWD with their pubkeys

Hi Jochen, On Wed, 12 Feb 2020 at 00:16, Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 02/11/2020 07:07 PM, Cl?ment P?ron wrote: > > - I have X devices (around 30) and one SSH server > > - Each of them have a unique public key and create one dynamic reverse > > port forwarding on the server > > - All of them connect with the same UNIX user (I don't

Hi folks, Since Docker can bind-mount every .ssh directory I am looking for some way to forbid unprotected private keys. AFAICS it is currently not possible on the sshd to verify that the peer's private key was protected by a passphrase. Can you confirm? Regards Harri

On Tue, 9 Jul 2024, Jochen Bern wrote: > allocated" the *same* port, one for SSH, one for HTTPS: No, it?s not the same port, it?s a different (address, port) tuple. > Is there anything I can do to prevent a port number being double assigned like > this? Use IPv4+IPv6 bindings for both? bye, //mirabilos -- 15:41?<Lo-lan-do:#fusionforge> Somebody write a testsuite for

As far as I can tell, there currently isn't a straightforward way to use password authentication for connecting to hosts where the host key changes frequently. I realize this is a fairly niche use case, but when developing software for devices that often get reimaged (resulting in a host key change), it can get pretty tedious to attempt to connect, get a warning, remove the old host key via

On 05/16/2018 06:07 AM, Aki Tuomi wrote: >> On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta at gmail.com> wrote: >> Is possible to implement and end-to-end encryption with dovecot, where >> server-side there is no private key to decrypt messages? > > You could probably automate this with sieve and e.g. GnuPG, which would mean > that all your

Christian Weisgerber <naddy at mips.inka.de> writes: > On 2020-01-12, Dustin Lundquist <dustin at null-ptr.net> wrote: > >> I think the intended application is to proxy through a proxy host provided by the service provider. If SSH had a SNI like feature where a host identifier was passed in plain text during the initial connection. This way the user would just need to

This isn't a problem with openssh per se, but impacts some users on Linux, and I wonder if I can get an amen on a netstat/net-utils change proposal. Splitting out sshd-session had an unfortunate side-effect: on Linux if you are used to using netstat -antp to see what user process is associated with which socket, the longer process name squeezes out the username. Prior to the change: #

On 18.06.24 13:36, Stuart Henderson wrote: > Not sure whether anything should be done with it, but I noticed so > thought I'd mention: if you pass ssh-keygen -R a known_hosts file with > DSA sigs, you get "invalid line" warnings. Out of interest, did you, perchance, try running an ssh-keygen -l on a DSA-infested file? (I added a bit of extra IDS to our monitoring that

Hi, On Mon, Jan 13, 2020 at 03:16:00PM +0000, Jochen Bern wrote: > Out of interest: > 1. If an extended mechanism were to be implemented, which server pubkey > do you expect to be seen/stored/verified by the client? The proxy's > / v4 middlebox's, or the v6 backend's? Or would you require that all > server-side machines use the *same* host keypairs? I'd do

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

Dear Christian, >How is this different to configuring /etc/securetty and tunnelling >Telnet over SSH Port Forwarding which I don't recommend BTW? In case your SSH is remotely attackable for instance - because your LDAP is configured wrongly, - your run into some problem like CVE-2008-0166 - some users private keys are lost And you want to lock down the sshd and investigate and

On 04.07.24 01:41, Manon Goo wrote: > - some users private keys are lost Then you go and remove the corresponding pubkeys from wherever they're configured. Seriously, even if you do not scan which pubkey is configured where *now* (as is part of our usual monitoring), it'll be your "number <3" task *then* to go hunt it down. > And you want to lock down the sshd

On Fri, 2019-02-15 at 15:57 +1100, Darren Tucker wrote: > That was the original intent (and it's mentioned in RFC4419) however > each moduli file we ship (70-80 instances of 6 sizes) takes about 1 > cpu-month to generate on a lowish-power x86-64 machine. Most of it > is > parallelizable, but even then it'd likely take a few hours to > generate > one of each size. I

Hi, Is it possible to configure Dovecot to reject mail that is not encrypted. In other words: 1. If the user tries to send an unencrypted message from their MUA, the server rejects it. 2. If a third-party tries to send an unencrypted message to the user, the server rejects it. The end result would be that no mail stored on the server can be decrypted by the administrator. I am aware that: *

Hello everyone, I work in a setting where remote logins are usually authenticated with SSH user keypairs, but many target accounts need to have a password set nonetheless (to use with sudo, log in via remote KVM, etc.) and cannot be put under a central user administration like LDAP. Enter a corporate password policy that requires passwords to be complex, different everywhere, and of limited

Hello, I have asked on the postfix mailing list for a solution, how to encrypt incoming emails with public gpg key My original idea was to use a smtpd-milter, which would encrypt all incoming plaintext messages of given user, using the users public gpg key. This way, it would look as if the original sender has sent the message encrypted. Somebody suggested this might be better done in Dovecot,

I wanted to bring up a security concern, and sent mail to openssh at openssh.com but the mail was not delivered.? I hope that one of the developers is on this list and can make sure this mail delivery problem is seen by the right people. (If needed, please contact me directly.)? My apologies for sending this to the whole list... (FYI, it is not about an urgent security issue, but something I

On 24.10.24 02:06, Mabry Tyson wrote: > I [...] sent mail to openssh at openssh.com but the mail was not delivered. > 24 hours after I sent email to that address, I got a DSN indicating > >> Remote server returned '550 5.4.300 Message expired -> 451 Temporary >> failure, please try again later.' ... yeaaahhh whatever it takes to convince the MX that it's *not*

Steffen Nurpmeso wrote in <20240704180538.iV4uex29 at steffen%sdaoden.eu>: |Simon Josefsson wrote in | <87jzi1fg24.fsf at kaka.sjd.se>: ||Jochen Bern <Jochen.Bern at binect.de> writes: ||> (And since you mention "port knocking", I'd like to repeat how fond I ||> am of upgrading that original concept to a single-packet ||> crypto-armored

On 05.07.23 18:01, MCMANUS, MICHAEL P wrote: > It appears the forced command either does not run or runs to completion > and exits immediately, as there is no process named "receive.ksh" in > the process tree. FWIW, two cents of mine: -- The script *exiting* should *not* prompt sshd to execute the requested subsystem "as a second thought", or else it'd happen