similar to: ratelimiting for PerSourcePenalties logging

Damien Miller <djm at mindrot.org> writes: > On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > >> Dear colleagues, >> >> Can we somehow improve the UX related to a relatively freshly >> introduced PerSourcePenalties option? >> >> A popular pattern implies installation of the users' keys to a freshly >> installed machine using ssh-copy-id

https://bugzilla.mindrot.org/show_bug.cgi?id=3705 Bug ID: 3705 Summary: Disk space exhaustion from PerSourcePenalties logging Product: Portable OpenSSH Version: -current Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee:

https://bugzilla.mindrot.org/show_bug.cgi?id=3766 Bug ID: 3766 Summary: openssh PerSourcePenalties and pam_nologin interaction Product: Portable OpenSSH Version: 9.8p1 Hardware: ARM64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee:

On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > Dear colleagues, > > Can we somehow improve the UX related to a relatively freshly > introduced PerSourcePenalties option? > > A popular pattern implies installation of the users' keys to a freshly > installed machine using ssh-copy-id script. The default settings don't > allow this command to work normally and

Dear colleagues, Can we somehow improve the UX related to a relatively freshly introduced PerSourcePenalties option? A popular pattern implies installation of the users' keys to a freshly installed machine using ssh-copy-id script. The default settings don't allow this command to work normally and causes login failures. A reasonable workaround could be adding some threshold for a number

On Tue, 18 Jun 2024, Chris Rapier wrote: > Just curious, has this been tested at scale? I see that there are, by > default, a maximum number of hosts it can track (default of 64k it > seems). At that point I think one of two things happen - sshd stops > allowing all connections until some of the banned IPs age out (with > the exception of those IPs on an approved list) or it drops

https://bugzilla.mindrot.org/show_bug.cgi?id=1488 Summary: internal-sftp logging Classification: Unclassified Product: Portable OpenSSH Version: 5.0p1 Platform: Other OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: sftp-server AssignedTo: unassigned-bugs at

I've noticed rather strange wtmp logging behavior in sshd. Can anyone confirm or solve the following: Once a user authenticates themself to sshd, sshd among other things records the login in the wtmp, which `last` reads. However, sshd logs hostnames which are longer than 16 characters instead of IPs like normal programs would. As a result, I have useless entries such as: tempest

https://bugzilla.mindrot.org/show_bug.cgi?id=2326 Bug ID: 2326 Summary: INFO logging fails client with mis-configured DNS Product: Portable OpenSSH Version: 5.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: security Priority: P5 Component: sftp-server Assignee:

https://bugzilla.mindrot.org/show_bug.cgi?id=1527 Summary: ForceCommand internal-sftp needs a way to enable logging Product: Portable OpenSSH Version: 5.1p1 Platform: Itanium2 OS/Version: HP-UX Status: NEW Severity: minor Priority: P4 Component: sftp-server AssignedTo:

https://bugzilla.mindrot.org/show_bug.cgi?id=1388 Summary: Parts of auth2-pubkey.c are completely devoid of debug logging Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: Other OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=2064 Bug ID: 2064 Summary: Enable logging of client_user at INFO priority rather than DEBUG2 Classification: Unclassified Product: Portable OpenSSH Version: 5.8p2 Hardware: All OS: All Status: NEW Severity: enhancement

https://bugzilla.mindrot.org/show_bug.cgi?id=3055 Bug ID: 3055 Summary: Need some high-probability logging re MaxStartups Product: Portable OpenSSH Version: 8.0p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at

Hi, OpenSSH 9.9p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Version 2.2.0p1 of portable OpenSSH has just been uploaded to the master site and should be making its way to the mirrors in due course. http://www.openssh.com/portable.html This release contains several new features and bugfixes relative to the previous 2.1.1p4 release. In particular: - DSA key support in ssh-agent. Please not that this will not interop with ssh.com's ssh-agent (Markus

Version 2.2.0p1 of portable OpenSSH has just been uploaded to the master site and should be making its way to the mirrors in due course. http://www.openssh.com/portable.html This release contains several new features and bugfixes relative to the previous 2.1.1p4 release. In particular: - DSA key support in ssh-agent. Please not that this will not interop with ssh.com's ssh-agent (Markus

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there any way to disable logging of failures during pam_authenticate? I ask because OpenSSH is currently generating an extra "authentication failure..." message at each login. The problem is that OpenSSH likes to try a blank password attempting any other authentication. This is a shortcut for anonymous SSH servers (e.g. OpenBSD's

https://bugzilla.mindrot.org/show_bug.cgi?id=3709 Bug ID: 3709 Summary: PerSourceMaxStartups no longer works as advertised Product: Portable OpenSSH Version: 9.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at

I'd like to withdraw the last set of metrics I reported. I couldn't reproduce some of them, and I suspect I made a mistake during testing. Being more careful this time, I set up another fully updated Ubuntu 24.04 VM with 4 vCPUs running openssh-SNAP-20240628.tar.gz with all defaults unchanged. When running using "ssh-audit.py --conn-rate-test=16 target_host", the system idle

On Tue, 18 Jun 2024, Joseph S. Testa II wrote: > In the upcoming v9.8 release notes I see "the server will now block > client addresses that repeatedly fail authentication, repeatedly > connect without ever completing authentication or that crash the > server." Has this new PerSourcePenalties config directive been tested > against the DHEat attack? Not explicitly but