similar to: ssh host keys on cloned virtual machines

Displaying 20 results from an estimated 4000 matches similar to: "ssh host keys on cloned virtual machines"

2023 Feb 25
1
ssh host keys on cloned virtual machines
On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 24.02.23 12:58, Keine Eile wrote: > > does any one of you have a best practice on renewing ssh host keys on > > cloned machines? > > I have a customer who never thought about that, while cloning all VMs > > from one template. Now all machines have the exact same host key. >
2023 Feb 25
1
ssh host keys on cloned virtual machines
On 2/25/23 07:50, Nico Kadel-Garcia wrote: > On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: >> >> On 24.02.23 12:58, Keine Eile wrote: >>> does any one of you have a best practice on renewing ssh host keys on >>> cloned machines? >>> I have a customer who never thought about that, while cloning all VMs >>>
2023 Feb 26
1
ssh host keys on cloned virtual machines
On Sat, Feb 25, 2023 at 12:14?PM Demi Marie Obenour <demiobenour at gmail.com> wrote: > > On 2/25/23 07:50, Nico Kadel-Garcia wrote: > > On Fri, Feb 24, 2023 at 10:01 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > >> > >> On 24.02.23 12:58, Keine Eile wrote: > >>> does any one of you have a best practice on renewing ssh host keys on >
2024 Dec 05
1
Better reporting for signature algorithm mismatch?
On 04.12.24 19:47, Brian Candler wrote: > debug1: Offering public key: /Users/brian/.ssh/id_rsa RSA [...] > debug1: send_pubkey_test: no mutual signature algorithm <<<< *THIS* > > I wonder if there could there be some way to highlight the "no mutual > signature algorithm" message more prominently in normal operation? Wouldn't the extra output, even in
2023 Feb 26
1
ssh host keys on cloned virtual machines
On Fri, 24 Feb 2023, Keine Eile wrote: > does any one of you have a best practice on renewing ssh host keys on cloned > machines? Yes: not cloning machines. There?s too many things to take care of for these. The VM UUID in libvirt. The systemd machine ID. SSH hostkey and SSL private key. The RNG seed. The various places where the hostname is written to during software installation. The
2023 Feb 24
3
ssh host keys on cloned virtual machines
Hi list members, does any one of you have a best practice on renewing ssh host keys on cloned machines? I have a customer who never thought about that, while cloning all VMs from one template. Now all machines have the exact same host key. My approach would be to store a machines MAC address(es). Then when starting the sshd.service, check if this MAC has changed. If so, remove all host keys, let
2023 Feb 28
1
ssh host keys on cloned virtual machines
On Sun, Feb 26, 2023 at 2:51?PM Thorsten Glaser <t.glaser at tarent.de> wrote: > > On Fri, 24 Feb 2023, Keine Eile wrote: > > > does any one of you have a best practice on renewing ssh host keys on cloned > > machines? > > Yes: not cloning machines. Good luck with *that*. Building VM's from media is a far, far too lengthy process for production deployment,
2024 Jun 27
1
Proposal to add a DisableAuthentication option to sshd ServerOptions
On 27.06.24 06:34, Henry Qin wrote: > *Specific use cases:* > 1. Combine sshd on an unprivileged port with kubectl port-forward to > replace kubectl exec for shelling into containers running in a secure > Kubernetes environment. Kubectl exec does not kill processes on disconnect, > and does not support remote port forwarding, while ssh does both of these > things. > 2. Run an
2023 Jul 07
1
Subsystem sftp invoked even though forced command created
On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced command as stated will break the application. I > would need to create a test bed to simulate the listener rather than > use the server as is, where is. That may produce false or misleading > results. Since the forced command is tied to the specific keypair in the authorized_keys, you could -- test with a different
2024 Oct 23
1
Security of ssh across a LAN, public key versus password
On 21.10.24 20:26, Chris Green wrote: > I have a small LAN at home with nine or ten systems on it running > various varieties of Linux. I 'do things' on the LAN either from my > dekstop machine or from my laptop, both run Xubuntu 24.04 at the > moment. > > There's a couple of headless systems on the LAN where login security > is important to me and I've been
2018 Jun 19
2
Is there such a thing as "Password Safe Forwarding"?
Hello everyone, I work in a setting where remote logins are usually authenticated with SSH user keypairs, but many target accounts need to have a password set nonetheless (to use with sudo, log in via remote KVM, etc.) and cannot be put under a central user administration like LDAP. Enter a corporate password policy that requires passwords to be complex, different everywhere, and of limited
2024 Jul 04
1
Request for a Lockdown option
On 04.07.24 01:41, Manon Goo wrote: > - some users private keys are lost Then you go and remove the corresponding pubkeys from wherever they're configured. Seriously, even if you do not scan which pubkey is configured where *now* (as is part of our usual monitoring), it'll be your "number <3" task *then* to go hunt it down. > And you want to lock down the sshd
2018 Sep 27
0
Collecting S/MIME Certs from (incoming signed) E-Mails
Two quick questions, if I may: We've been asked to change an existing application (whose builtin S/MIME capabilities are quite unclear) so that the e-mails it sends will be S/MIME encrypted, if possible. I have some experience in getting an MTA to encrypt e-mails in transit, but the trick is, of course, to maintain a list of addressees' (current) certs. Ideally, users send e-mails *to*
2024 Jun 18
1
Call for testing: openssh-9.8
On 18.06.24 13:36, Stuart Henderson wrote: > Not sure whether anything should be done with it, but I noticed so > thought I'd mention: if you pass ssh-keygen -R a known_hosts file with > DSA sigs, you get "invalid line" warnings. Out of interest, did you, perchance, try running an ssh-keygen -l on a DSA-infested file? (I added a bit of extra IDS to our monitoring that
2023 Apr 03
0
sftp and utmp
On 30.03.23 22:43, Fran?ois Ouellet wrote: > We need to limit concurrent sftp logins to one per user (because of bad > client behaviour). Is there any way to achieve this I have overlooked? What authentication method(s) do your users use? On our Internet-facing SFTP server, by default (few exceptions), we accept only pubkey auth and require users to (un)install pubkeys through us. In
2023 Jun 11
0
Minimize sshd log clutter/spam from unauthenticated connections
On 10.06.23 11:19, Carsten Andrich wrote: > For the time being, I've deployed a quasi-knocking KISS solution that > sends an unencrypted secret via a single UDP packet. Server side is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > realized entirely with nftables ... frankly, for that reason, I like fwknop (in my case, straight from OS repos) better ... I'd still have to see fwknopd exit
2023 Jul 20
0
Feature Request (re: CVE-2023-3840)
On 19.07.23 16:40, Damien Miller wrote: > Exploitation can also be prevented by starting ssh-agent(1) with an > empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring > an allowlist that contains only specific provider libraries. Upon trying to deploy such a workaround, I found that the call to ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup
2024 Apr 18
0
Reacting to / Logging the peer's Version String?
Hello everyone, I seem to remember that, quite some while back, there were provisions in OpenSSH to look at the version string in the peer's hello and activate compatibility options for peer software that needed them. Now, with CVE-2024-31497, I would like to have a look at the version strings of clients and servers other organizations use to exchange data with us; I remember
2023 Oct 16
1
ssh-agent hides sk "confirm user presence" message
On 16.10.23 04:59, Damien Miller wrote: > On Mon, 16 Oct 2023, openssh at tr.id.au wrote: >> When using the key without an agent, it prompts with a reminder to touch the key: >> >> $ ssh user at remote >> Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX [...] >> But as soon as I add the key to an agent, it now hides that
2023 Jul 05
1
Subsystem sftp invoked even though forced command created
On 05.07.23 02:50, Damien Miller wrote: > Some possibilities: > 1. the receive.ksh script is faulty in some way that causes it to invoke > sftp-server How would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ?