similar to: [Bug 3711] New: How do you defend against the D (HE) ater attack?

Dear colleagues, I have a question about this commit: https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216 The function ensure_minimum_time_since effectively doubles the time spent in the input_userauth_request (mostly presumably in PAM). So if PAM processing is really slow, it will

Dear colleagues, May I ask you to explain whether I am wrong in my conclusions? On Wed, Apr 12, 2023 at 11:55?AM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote: > > Dear colleagues, > > I have a question about this commit: > >

Dmitry Belyavskiy wrote: > May I ask you to explain whether I am wrong in my conclusions? I guess it's not clear what problem you are trying to solve. //Peter

Dear Peter, I'm trying to balance the original problem statement (protection from users enumeration) and avoid doubling time here if the process has already taken a long time to provide faster auth method iteration. I believe that a better solution is to set some arbitrary (probably configurable) timeout and, in case when we spend more time than that value, avoid doubling it. On Wed, Jun 28,

On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote: > I suppose in the next few days, I'll try reproducing my original > steps > with the new version and see what happens. I managed to do some limited testing with a local VM, and the results are... interesting. I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated Ubuntu Linux 24.04 LTS VM with 1 vCPU.

Hi folks! After upgrading my Xen-3.2.0 to new Xen-3.3.0/Linux-2.6.18.8-xen-3.3.0 my domU /proc/cpuinfo shows only: administrativo@vsrvXX:~$ cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 6 model name : Intel(R) Pentium(R) D CPU 3.40GHz stepping : 4 cpu MHz : 3391.500 *cache size : 16 KB* physical id : 0 siblings

Hi All I had asterisk running on a xercom install, I upgraded the box to a full debian install and now asterisk is not starting from on boot. I can start asterisk from the command line fine no problems, but when i type /etc/init.d/asterisk start it says asterisk PBX started. It doesn't start it though, when I look at the log file it has this. May 16 10:19:05 WARNING[3711]: Unable to open

https://bugzilla.mindrot.org/show_bug.cgi?id=3656 Bug ID: 3656 Summary: How to fix row hammer attacks? Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org

On Wed, 2024-06-19 at 09:19 -0400, chris wrote: > real world example (current snapshot of portable on linux v. dheater) Thanks for this. However, much more extensive testing would be needed to show it is a complete solution. In my original research article, I used CPU idle time as the main metric. Also, I showed that very low- latency network links could bypass the existing countermeasures.

No one knows about this?! It''s normal for domU in Xen-3.3 to have only 16KB of CPU cache size? Thanks! Thiagi 2008/9/18 Thiago Camargo Martins Cordeiro <thiagocmartinsc@gmail.com> > Hi folks! > > After upgrading my Xen-3.2.0 to new Xen-3.3.0/Linux-2.6.18.8-xen-3.3.0 my > domU /proc/cpuinfo shows only: > > administrativo@vsrvXX:~$ cat /proc/cpuinfo >

In the upcoming v9.8 release notes I see "the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server." Has this new PerSourcePenalties config directive been tested against the DHEat attack? - Joe On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote: > A few days ago, I

On Tue, 18 Jun 2024, Joseph S. Testa II wrote: > In the upcoming v9.8 release notes I see "the server will now block > client addresses that repeatedly fail authentication, repeatedly > connect without ever completing authentication or that crash the > server." Has this new PerSourcePenalties config directive been tested > against the DHEat attack? Not explicitly but

On Tue, 18 Jun 2024, Chris Rapier wrote: > Just curious, has this been tested at scale? I see that there are, by > default, a maximum number of hosts it can track (default of 64k it > seems). At that point I think one of two things happen - sshd stops > allowing all connections until some of the banned IPs age out (with > the exception of those IPs on an approved list) or it drops

https://bugzilla.mindrot.org/show_bug.cgi?id=3709 Bug ID: 3709 Summary: PerSourceMaxStartups no longer works as advertised Product: Portable OpenSSH Version: 9.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at

On 6/19/24 4:11 PM, Joseph S. Testa II wrote: > On Wed, 2024-06-19 at 09:19 -0400, chris wrote: >> real world example (current snapshot of portable on linux v. dheater) > > Thanks for this. However, much more extensive testing would be needed > to show it is a complete solution. In my original research article, I > used CPU idle time as the main metric. Also, I showed that

A few days ago, I published an article analyzing the susceptibility of the DHEat denial-of-service vulnerability against default OpenSSH settings in cloud environments. I thought those on this list might be interested: https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/ A short summary: the default MaxStartup setting is fully ineffective

https://bugzilla.mindrot.org/show_bug.cgi?id=3587 Bug ID: 3587 Summary: Would OpenSSH consider adding a switch to hide the specific OpenSSH version number? Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: security Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=3693 Bug ID: 3693 Summary: Is SFTP local command execution implemented based on an RFC protocol? Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: sftp

Hi, I'm trying to migrate a samba 3 domain, and I have detected that our domain users and doamin admins are migrated/renamed during migration, we have this grousp in other language than english and ater migration are migrated to domain admin and domain users. Members of this groups are migrated correctly, only question is this change in name could genereate a problem and if this is an issue

https://bugzilla.mindrot.org/show_bug.cgi?id=3597 Bug ID: 3597 Summary: Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled? Product: Portable OpenSSH Version: -current Hardware: Other