similar to: ssh host keys on cloned virtual machines

On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 24.02.23 12:58, Keine Eile wrote: > > does any one of you have a best practice on renewing ssh host keys on > > cloned machines? > > I have a customer who never thought about that, while cloning all VMs > > from one template. Now all machines have the exact same host key. >

On 2/25/23 07:50, Nico Kadel-Garcia wrote: > On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: >> >> On 24.02.23 12:58, Keine Eile wrote: >>> does any one of you have a best practice on renewing ssh host keys on >>> cloned machines? >>> I have a customer who never thought about that, while cloning all VMs >>>

On Sat, Feb 25, 2023 at 12:14?PM Demi Marie Obenour <demiobenour at gmail.com> wrote: > > On 2/25/23 07:50, Nico Kadel-Garcia wrote: > > On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > >> > >> On 24.02.23 12:58, Keine Eile wrote: > >>> does any one of you have a best practice on renewing ssh host keys on >

On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced command as stated will break the application. I > would need to create a test bed to simulate the listener rather than > use the server as is, where is. That may produce false or misleading > results. Since the forced command is tied to the specific keypair in the authorized_keys, you could -- test with a different

Hello everyone, I work in a setting where remote logins are usually authenticated with SSH user keypairs, but many target accounts need to have a password set nonetheless (to use with sudo, log in via remote KVM, etc.) and cannot be put under a central user administration like LDAP. Enter a corporate password policy that requires passwords to be complex, different everywhere, and of limited

On Fri, 24 Feb 2023, Keine Eile wrote: > does any one of you have a best practice on renewing ssh host keys on cloned > machines? Yes: not cloning machines. There?s too many things to take care of for these. The VM UUID in libvirt. The systemd machine ID. SSH hostkey and SSL private key. The RNG seed. The various places where the hostname is written to during software installation. The

Two quick questions, if I may: We've been asked to change an existing application (whose builtin S/MIME capabilities are quite unclear) so that the e-mails it sends will be S/MIME encrypted, if possible. I have some experience in getting an MTA to encrypt e-mails in transit, but the trick is, of course, to maintain a list of addressees' (current) certs. Ideally, users send e-mails *to*

Hi list members, does any one of you have a best practice on renewing ssh host keys on cloned machines? I have a customer who never thought about that, while cloning all VMs from one template. Now all machines have the exact same host key. My approach would be to store a machines MAC address(es). Then when starting the sshd.service, check if this MAC has changed. If so, remove all host keys, let

On Sun, Feb 26, 2023 at 2:51?PM Thorsten Glaser <t.glaser at tarent.de> wrote: > > On Fri, 24 Feb 2023, Keine Eile wrote: > > > does any one of you have a best practice on renewing ssh host keys on cloned > > machines? > > Yes: not cloning machines. Good luck with *that*. Building VM's from media is a far, far too lengthy process for production deployment,

On 05.07.23 02:50, Damien Miller wrote: > Some possibilities: > 1. the receive.ksh script is faulty in some way that causes it to invoke > sftp-server How would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ?

On 10/25/2017 12:58 PM, Heiko Schlittermann wrote: > We could create new "role" users, share the password and create an > additional account within the mail client (thunderbird) they use. From > users perspective it is exactly what they want. But I dislike the idea > of sharing the password. For what reason exactly? It not being personalized, too easy to leak, potentially

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

Hello everyone, my workplace has gotten the idea of centrally maintaining a file in ssh_config syntax so that employees do not need to discover every new machine and configure it on their own. Since it's a case of "let's get started now, and properly think it through later", right now, a typical entry might look like > Host [product]-[Customer] > Hostname

On 11/17/2016 08:48 AM, Steve Litt wrote: > When I use an email client, its purpose is as a window into my Dovecot > IMAP, and as a mechanism to reply to and send emails. I don't do > filtering or calendaring on my email client (filtering via procmail > direct to Dovecot). > > What email clients are all of you using to look at your IMAP email? Plaintext or HTML mails?

On 30.03.23 22:43, Fran?ois Ouellet wrote: > We need to limit concurrent sftp logins to one per user (because of bad > client behaviour). Is there any way to achieve this I have overlooked? What authentication method(s) do your users use? On our Internet-facing SFTP server, by default (few exceptions), we accept only pubkey auth and require users to (un)install pubkeys through us. In

On 10.06.23 11:19, Carsten Andrich wrote: > For the time being, I've deployed a quasi-knocking KISS solution that > sends an unencrypted secret via a single UDP packet. Server side is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > realized entirely with nftables ... frankly, for that reason, I like fwknop (in my case, straight from OS repos) better ... I'd still have to see fwknopd exit

On 19.07.23 16:40, Damien Miller wrote: > Exploitation can also be prevented by starting ssh-agent(1) with an > empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring > an allowlist that contains only specific provider libraries. Upon trying to deploy such a workaround, I found that the call to ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup

Hello everyone, I seem to remember that, quite some while back, there were provisions in OpenSSH to look at the version string in the peer's hello and activate compatibility options for peer software that needed them. Now, with CVE-2024-31497, I would like to have a look at the version strings of clients and servers other organizations use to exchange data with us; I remember

On 16.10.23 04:59, Damien Miller wrote: > On Mon, 16 Oct 2023, openssh at tr.id.au wrote: >> When using the key without an agent, it prompts with a reminder to touch the key: >> >> $ ssh user at remote >> Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX [...] >> But as soon as I add the key to an agent, it now hides that

On 05.07.23 18:01, MCMANUS, MICHAEL P wrote: > It appears the forced command either does not run or runs to completion > and exits immediately, as there is no process named "receive.ksh" in > the process tree. FWIW, two cents of mine: -- The script *exiting* should *not* prompt sshd to execute the requested subsystem "as a second thought", or else it'd happen