similar to: Reacting to / Logging the peer's Version String?

On 18.06.24 13:36, Stuart Henderson wrote: > Not sure whether anything should be done with it, but I noticed so > thought I'd mention: if you pass ssh-keygen -R a known_hosts file with > DSA sigs, you get "invalid line" warnings. Out of interest, did you, perchance, try running an ssh-keygen -l on a DSA-infested file? (I added a bit of extra IDS to our monitoring that

On 04.07.24 01:41, Manon Goo wrote: > - some users private keys are lost Then you go and remove the corresponding pubkeys from wherever they're configured. Seriously, even if you do not scan which pubkey is configured where *now* (as is part of our usual monitoring), it'll be your "number <3" task *then* to go hunt it down. > And you want to lock down the sshd

On 05.07.23 02:50, Damien Miller wrote: > Some possibilities: > 1. the receive.ksh script is faulty in some way that causes it to invoke > sftp-server How would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ?

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

On 10/25/2017 12:58 PM, Heiko Schlittermann wrote: > We could create new "role" users, share the password and create an > additional account within the mail client (thunderbird) they use. From > users perspective it is exactly what they want. But I dislike the idea > of sharing the password. For what reason exactly? It not being personalized, too easy to leak, potentially

Hello everyone, my workplace has gotten the idea of centrally maintaining a file in ssh_config syntax so that employees do not need to discover every new machine and configure it on their own. Since it's a case of "let's get started now, and properly think it through later", right now, a typical entry might look like > Host [product]-[Customer] > Hostname

On 11/17/2016 08:48 AM, Steve Litt wrote: > When I use an email client, its purpose is as a window into my Dovecot > IMAP, and as a mechanism to reply to and send emails. I don't do > filtering or calendaring on my email client (filtering via procmail > direct to Dovecot). > > What email clients are all of you using to look at your IMAP email? Plaintext or HTML mails?

On 24.02.23 12:58, Keine Eile wrote: > does any one of you have a best practice on renewing ssh host keys on > cloned machines? > I have a customer who never thought about that, while cloning all VMs > from one template. Now all machines have the exact same host key. > My approach would be to store a machines MAC address(es). Then when > starting the sshd.service, check if

On 30.03.23 22:43, Fran?ois Ouellet wrote: > We need to limit concurrent sftp logins to one per user (because of bad > client behaviour). Is there any way to achieve this I have overlooked? What authentication method(s) do your users use? On our Internet-facing SFTP server, by default (few exceptions), we accept only pubkey auth and require users to (un)install pubkeys through us. In

On 10.06.23 11:19, Carsten Andrich wrote: > For the time being, I've deployed a quasi-knocking KISS solution that > sends an unencrypted secret via a single UDP packet. Server side is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > realized entirely with nftables ... frankly, for that reason, I like fwknop (in my case, straight from OS repos) better ... I'd still have to see fwknopd exit

On 19.07.23 16:40, Damien Miller wrote: > Exploitation can also be prevented by starting ssh-agent(1) with an > empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring > an allowlist that contains only specific provider libraries. Upon trying to deploy such a workaround, I found that the call to ssh-agent(1) nowadays is hidden *ridiculously* deep in the GUI startup

On 16.10.23 04:59, Damien Miller wrote: > On Mon, 16 Oct 2023, openssh at tr.id.au wrote: >> When using the key without an agent, it prompts with a reminder to touch the key: >> >> $ ssh user at remote >> Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX [...] >> But as soon as I add the key to an agent, it now hides that

On 05.07.23 18:01, MCMANUS, MICHAEL P wrote: > It appears the forced command either does not run or runs to completion > and exits immediately, as there is no process named "receive.ksh" in > the process tree. FWIW, two cents of mine: -- The script *exiting* should *not* prompt sshd to execute the requested subsystem "as a second thought", or else it'd happen

On 24.10.24 02:06, Mabry Tyson wrote: > I [...] sent mail to openssh at openssh.com but the mail was not delivered. > 24 hours after I sent email to that address, I got a DSN indicating > >> Remote server returned '550 5.4.300 Message expired -> 451 Temporary >> failure, please try again later.' ... yeaaahhh whatever it takes to convince the MX that it's *not*

On 27.06.24 06:34, Henry Qin wrote: > *Specific use cases:* > 1. Combine sshd on an unprivileged port with kubectl port-forward to > replace kubectl exec for shelling into containers running in a secure > Kubernetes environment. Kubectl exec does not kill processes on disconnect, > and does not support remote port forwarding, while ssh does both of these > things. > 2. Run an

On 27.05.23 00:08, Thorsten Glaser wrote: > On Fri, 26 May 2023, Mingye Wang (Artoria2e5) wrote: >> The less modest one is we throw out the "[argument ...]" part altogether. It > > Absolutely not. This will break about all uses of ssh in existence. You are confusing "ssh(1) does (not) distinguish between 'command' and 'argument(s)'" with

Hello everyone, I would like pointers on how to analyze the following situation, please: I'm running one test and one production dovecot IMAPS server for one of our platforms. The clients are essentially appliances we distribute, auth by client cert, virtual users only, mailboxes in maildir format: > auth_ssl_require_client_cert = yes > auth_ssl_username_from_cert = yes >

On 30.06.23 17:56, MCMANUS, MICHAEL P wrote: > The actual command is similar to the following (parameters inserted to protect the source): > (print ${FQDN} ; print ${Environment} ; cat ${OutFileXML}) | \ > ssh -Ti ${EmbeddedPrivateKey} \ > -o HostKeyAlias="${Alias}" \ > -o

On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced command as stated will break the application. I > would need to create a test bed to simulate the listener rather than > use the server as is, where is. That may produce false or misleading > results. Since the forced command is tied to the specific keypair in the authorized_keys, you could -- test with a different

On 12/15/2018 12:34 AM, @lbutlr wrote: > On 14 Dec 2018, at 16:30, @lbutlr <kremels at kreme.com> wrote: >> Is it possible to override the POP3 delete on download command and make >> sure that messages stay on the server for at least X hours or X days? >> It is important that the messages be around long enough to hit a snapshot >> cycle (using rsnapshot to backup