similar to: ssh host keys on cloned virtual machines

On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 24.02.23 12:58, Keine Eile wrote: > > does any one of you have a best practice on renewing ssh host keys on > > cloned machines? > > I have a customer who never thought about that, while cloning all VMs > > from one template. Now all machines have the exact same host key. >

On 2/25/23 07:50, Nico Kadel-Garcia wrote: > On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: >> >> On 24.02.23 12:58, Keine Eile wrote: >>> does any one of you have a best practice on renewing ssh host keys on >>> cloned machines? >>> I have a customer who never thought about that, while cloning all VMs >>>

On Sat, Feb 25, 2023 at 12:14?PM Demi Marie Obenour <demiobenour at gmail.com> wrote: > > On 2/25/23 07:50, Nico Kadel-Garcia wrote: > > On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > >> > >> On 24.02.23 12:58, Keine Eile wrote: > >>> does any one of you have a best practice on renewing ssh host keys on >

On Fri, 24 Feb 2023, Keine Eile wrote: > does any one of you have a best practice on renewing ssh host keys on cloned > machines? Yes: not cloning machines. There?s too many things to take care of for these. The VM UUID in libvirt. The systemd machine ID. SSH hostkey and SSL private key. The RNG seed. The various places where the hostname is written to during software installation. The

On 04.12.24 19:47, Brian Candler wrote: > debug1: Offering public key: /Users/brian/.ssh/id_rsa RSA [...] > debug1: send_pubkey_test: no mutual signature algorithm <<<< *THIS* > > I wonder if there could there be some way to highlight the "no mutual > signature algorithm" message more prominently in normal operation? Wouldn't the extra output, even in

Hi list members, does any one of you have a best practice on renewing ssh host keys on cloned machines? I have a customer who never thought about that, while cloning all VMs from one template. Now all machines have the exact same host key. My approach would be to store a machines MAC address(es). Then when starting the sshd.service, check if this MAC has changed. If so, remove all host keys, let

On Sun, Feb 26, 2023 at 2:51?PM Thorsten Glaser <t.glaser at tarent.de> wrote: > > On Fri, 24 Feb 2023, Keine Eile wrote: > > > does any one of you have a best practice on renewing ssh host keys on cloned > > machines? > > Yes: not cloning machines. Good luck with *that*. Building VM's from media is a far, far too lengthy process for production deployment,

On 27.06.24 06:34, Henry Qin wrote: > *Specific use cases:* > 1. Combine sshd on an unprivileged port with kubectl port-forward to > replace kubectl exec for shelling into containers running in a secure > Kubernetes environment. Kubectl exec does not kill processes on disconnect, > and does not support remote port forwarding, while ssh does both of these > things. > 2. Run an

On 21.10.24 20:26, Chris Green wrote: > I have a small LAN at home with nine or ten systems on it running > various varieties of Linux. I 'do things' on the LAN either from my > dekstop machine or from my laptop, both run Xubuntu 24.04 at the > moment. > > There's a couple of headless systems on the LAN where login security > is important to me and I've been

On 10.01.25 00:33, Corey Hickey wrote: > I took the approach of preserving current behavior by default, but > another approach would be to: > * print "The agent has no identities." to stderr instead of stdout > * exit with a status of 0 instead of 1 Please don't. If you want to ever get people to load their privkeys into the agent *with a limited lifetime*, having a

On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced command as stated will break the application. I > would need to create a test bed to simulate the listener rather than > use the server as is, where is. That may produce false or misleading > results. Since the forced command is tied to the specific keypair in the authorized_keys, you could -- test with a different

Hello everyone, I work in a setting where remote logins are usually authenticated with SSH user keypairs, but many target accounts need to have a password set nonetheless (to use with sudo, log in via remote KVM, etc.) and cannot be put under a central user administration like LDAP. Enter a corporate password policy that requires passwords to be complex, different everywhere, and of limited

On 04.07.24 01:41, Manon Goo wrote: > - some users private keys are lost Then you go and remove the corresponding pubkeys from wherever they're configured. Seriously, even if you do not scan which pubkey is configured where *now* (as is part of our usual monitoring), it'll be your "number <3" task *then* to go hunt it down. > And you want to lock down the sshd

Two quick questions, if I may: We've been asked to change an existing application (whose builtin S/MIME capabilities are quite unclear) so that the e-mails it sends will be S/MIME encrypted, if possible. I have some experience in getting an MTA to encrypt e-mails in transit, but the trick is, of course, to maintain a list of addressees' (current) certs. Ideally, users send e-mails *to*

Hello, For those who run tinc on Debian or Debian-based distributions like Ubuntu and Knoppix, be advised that the following security issue affects tinc as well: http://www.debian.org/security/2008/dsa-1571 In short, if you generated public/private keypairs for tinc between 2006 and May 7th of 2008 on a machine running Debian or a derivative, they may have been generated without a properly

Hello, For those who run tinc on Debian or Debian-based distributions like Ubuntu and Knoppix, be advised that the following security issue affects tinc as well: http://www.debian.org/security/2008/dsa-1571 In short, if you generated public/private keypairs for tinc between 2006 and May 7th of 2008 on a machine running Debian or a derivative, they may have been generated without a properly

On Mon, Feb 27, 2023 at 8:33?PM Thorsten Glaser <t.glaser at tarent.de> wrote: > > On Mon, 27 Feb 2023, Nico Kadel-Garcia wrote: > > >> > does any one of you have a best practice on renewing ssh host keys on cloned > >> > machines? > >> > >> Yes: not cloning machines. > > > >Good luck with *that*. Building VM's from media is

Hi. I think this thread has veered far enough from the discussion of OpenSSH development to be considered off-topic. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

On 30.03.23 22:43, Fran?ois Ouellet wrote: > We need to limit concurrent sftp logins to one per user (because of bad > client behaviour). Is there any way to achieve this I have overlooked? What authentication method(s) do your users use? On our Internet-facing SFTP server, by default (few exceptions), we accept only pubkey auth and require users to (un)install pubkeys through us. In

On 10.06.23 11:19, Carsten Andrich wrote: > For the time being, I've deployed a quasi-knocking KISS solution that > sends an unencrypted secret via a single UDP packet. Server side is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > realized entirely with nftables ... frankly, for that reason, I like fwknop (in my case, straight from OS repos) better ... I'd still have to see fwknopd exit