similar to: [RFC] Preferentially TOFU certificate authorities rather than host keys

Hi list, I use ssh a lot and I often need to connect to hosts whose host key has changed. If a host key of the remote host changes ssh terminates and the user has to manually delete the offending host key from known_hosts. I had to do this so many times that I no longer like the idea ;-) I would really like ssh to ask me if the new host key is OK and if I want to add it to known_hosts. I talked

Scenario: I have access to a semi-public (about 30 users) server where I keep my webpage. Occasionally, especially if I'm on the road. I use this as a bounce point to get to "secured" systems which only allow ssh from certian IP's. (Ignoring the discussion on spoofing, since we have host keys) But host keys are the problem. If anyone gets root on this hypothetical

When connecting to a host for which there's no known hostkey, check if the relevant key has been accepted for other hostnames. This is useful when connecting to a host with a dymamic IP address or multiple names. --- auth.c | 4 ++-- hostfile.c | 42 ++++++++++++++++++++++++++++-------------- hostfile.h | 8 ++++++-- sshconnect.c | 39 +++++++++++++++++++++++++++++++++------

It would be useful to allow matching HostName entries against Host entries. That's to say, I would find it very convenient to have an ssh_config like: Host zeus HostName zeus.greek.gods User hades Host hera HostName hera.greek.gods # [ ... ] Host *.greek.gods User poseidon UserKnownHostsFile ~/.ssh/known_hosts.d/athens # [ Default settings for *.greek.gods ] where I

# gluster --version glusterfs 3.3.1 built on Oct 11 2012 22:01:05 # gluster volume info Volume Name: gdata Type: Distribute Volume ID: eccc3a90-212d-4563-ae8d-10a77758738d Status: Started Number of Bricks: 3 Transport-type: tcp Bricks: Brick1: gluster-0-0:/mseas-data-0-0 Brick2: gluster-0-1:/mseas-data-0-1 Brick3: gluster-data:/data [root at mseas-data ~]# ps -ef | grep gluster root 2783

This is a better approach to persistent control masters than my previous attempt. Instead of forking before we make the connection, do so only when the original session has closed -- much like the code for '~&' backgrounding already does. My earlier patch for 'ControlPath none' still applies and is required, btw. --- openssh/clientloop.c~ 2005-06-17 03:59:35.000000000 +0100

http://bugzilla.mindrot.org/show_bug.cgi?id=112 Summary: Using host key fingerprint instead of "yes" Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org

Attached (and inline) is a patch to add the following config options: ControlBindMask ControlAllowUsers ControlAllowGroups ControlDenyUsers ControlDenyGroups It pulls the peer credential check from client_process_control() in ssh.c, and expounds upon it in a new function, client_control_grant(). Supplemental groups are not checked in this patch. I didn't feel comfortable taking a shot

Hi, I found a small issue with DNSSEC validation of SSHFP lookups. (For reference I used OpenSSH 6.8p1 on FreeBSD 10.1). The issues is that when DNSSEC valiation fails, ssh displays a confusing message to the user. When DNSSEC validation of a SSHFP record fails, ssh presents the user with "Matching host key fingerprint found in DNS. "Are you sure you want to continue connecting

Hi, Is there someone successfully running memcached-1.4.1 on Centos 4 with centosplus php? I'm trying to use memcached under Centos 4. I can set values fine but 'get' returns: [root at rakosnicek eshop]# php d.php PHP Warning: Memcached::get(): bad type specifier while parsing parameters in /var/www/d.php on line 6 NULL string(7) "SUCCESS" array(1) {

https://bugzilla.mindrot.org/show_bug.cgi?id=2345 Bug ID: 2345 Summary: NESTING_INDENT_MISMATCH: missing parenthesis around if body in ssh-keygen.c:724 Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5

hi, the corner case of '-HF' hashes the whole hostline and not just the host xor IP address which means that usually it will hash "HOST,IP". This will never be matched if manually included into the known_host file. Patch against 4.7p1 attached. J. -- Jan Pechanec -------------- next part -------------- --- openssh-4.7p1/ssh-keygen.c Mon Feb 19 12:10:25 2007 +++

https://bugzilla.mindrot.org/show_bug.cgi?id=1376 Summary: 'ssh-keygen -HF' hashes host,IP together Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: ssh-keygen AssignedTo: bitbucket

The attached patch implements a feature that would make my interaction with ssh somewhat more secure. When connecting to a host whose key is not in the known_hosts file, this patch makes ssh tell the user about any other hosts in the known_hosts file that have the same key. For example, if I have host A in my known_hosts file, and try to connect to host B which is an alias for A, ssh will tell

In the current implementation, ssh always uses the hostname supplied by the user directly for the SSHFP DNS record lookup. This causes problems when using the domain search path, e.g. I have "search example.com" in my resolv.conf and then do a "ssh host", I will connect to host.example.com, but ssh will query the DNS for an SSHFP record of "host.", not

Hello, Due to patent concerns, I compiled a version of openssl with the no-rsa, no-idea, no-rc5 options. I was able to then take this compile of openssl, with the standard openssh-2.1.0 rpms and run it on another machine. Most things seemed to work fine, except I was unable to ssh into the machine. After applying the following patch to the sshd code, a quick test with an ssh session worked:

On Sun, Oct 04, 2020 at 10:50:32PM +1100, Damien Miller wrote: > On Sun, 4 Oct 2020, Matthieu Herrb wrote: > > > On Sun, Oct 04, 2020 at 09:24:12PM +1100, Damien Miller wrote: > > > On Sun, 4 Oct 2020, Damien Miller wrote: > > > > > > > No - I think you've stumbled on a corner case I hadn't anticipated. > > > > Does your configuration

Hi all, I just want to upgrade from protocol 1.5 to 1.99 and 2.0, respectively and run into the following problems: The situation is the following: I have a client ("c") inside the firewall and two servers outside ("a" and "b"). The firewall accepts connections on two ports (22136 and 22137) and directs the connections directly to port 22 of the two servers

I'm trying to replace some sshv1 clients and servers in a modular way, and the "Server Lies" warning (when the server says the key has one more bit than it really has) is causing heartache. Per the FAQ, this is relatively benign. Here's a patch that allows an admin or user to disable the warning. - Morty diff -Nur openssh-3.7.1p2/readconf.c

Dear All, I do apologise if this question is out of place for this list but I've tried searching mailing lists and read "Introductory Statistics with R" by Peter Dalgaard, but couldn't find any hints on solving my question below: I have a data frame (d) of values which I will rank in decreasing order of "val". Each value belongs to a group, either 'A',