similar to: PerSourcePenalties and ssh-copy-id

On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > Dear colleagues, > > Can we somehow improve the UX related to a relatively freshly > introduced PerSourcePenalties option? > > A popular pattern implies installation of the users' keys to a freshly > installed machine using ssh-copy-id script. The default settings don't > allow this command to work normally and

Damien Miller <djm at mindrot.org> writes: > On Mon, 9 Dec 2024, Dmitry Belyavskiy wrote: > >> Dear colleagues, >> >> Can we somehow improve the UX related to a relatively freshly >> introduced PerSourcePenalties option? >> >> A popular pattern implies installation of the users' keys to a freshly >> installed machine using ssh-copy-id

@Dmitry, you may get more traction by reporting this issue (with patch) at https://www.openssh.com/report.html . It can also help other folks who may be encountering the same issue. -- jmk > On Mar 3, 2023, at 02:10, Dmitry Belyavskiy <dbelyavs at redhat.com> wrote: > > ?Dear colleagues, > > Could you please take a look? > >> On Fri, Jan 20, 2023 at 12:55?PM

Dear colleagues, Could you please take a look? On Fri, Jan 20, 2023 at 12:55?PM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote: > > Dear colleagues, > > ssh-keygen uses SHA1 algorithm (default) when verifying that the key is usable. It causes problems on recent systems where SHA1 is disabled for use with signatures (at least, RHEL 9+). > > The proposed patch enforces

Dear Damien, On Wed, Apr 19, 2023 at 9:55?AM Damien Miller <djm at mindrot.org> wrote: > > On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote: > > > > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > > > Portable OpenSSH won't be able to merge this. We explictly aim to support > > > LibreSSL's libcrypto as well as

Dear Peter, I'm trying to balance the original problem statement (protection from users enumeration) and avoid doubling time here if the process has already taken a long time to provide faster auth method iteration. I believe that a better solution is to set some arbitrary (probably configurable) timeout and, in case when we spend more time than that value, avoid doubling it. On Wed, Jun 28,

On Thu, Jul 20, 2023 at 3:53?AM Damien Miller <djm at mindrot.org> wrote: > > > > On Wed, 19 Jul 2023, Dmitry Belyavskiy wrote: > > > Dear Damien, > > > > Could you please clarify which versions are vulnerable? > > OpenSSH 5.5 through 9.3p1 inclusive Many thanks for the clarification! -- Dmitry Belyavskiy

Dear colleagues, May I ask you to explain whether I am wrong in my conclusions? On Wed, Apr 12, 2023 at 11:55?AM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote: > > Dear colleagues, > > I have a question about this commit: > >

Dear colleagues, ssh-keygen uses SHA1 algorithm (default) when verifying that the key is usable. It causes problems on recent systems where SHA1 is disabled for use with signatures (at least, RHEL 9+). The proposed patch enforces using a sha2 algorithm for key verification. -- Dmitry Belyavskiy -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-keygen.patch

Dear colleagues, I have a question about this commit: https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216 The function ensure_minimum_time_since effectively doubles the time spent in the input_userauth_request (mostly presumably in PAM). So if PAM processing is really slow, it will

On Fri, Jul 21, 2023 at 4:37?AM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote: > > On Thu, Jul 20, 2023 at 3:53?AM Damien Miller <djm at mindrot.org> wrote: > > > > > > > > On Wed, 19 Jul 2023, Dmitry Belyavskiy wrote: > > > > > Dear Damien, > > > > > > Could you please clarify which versions are vulnerable? > >

Dear colleagues, I came across an upstream test suite failure on Fedora 36. The test in question is forwarding, the output is ========== adding modulifile='/home/dbelyavs/work/upstream/openssh-portable/moduli' to sshd_config using cached key type ssh-ed25519 using cached key type sk-ssh-ed25519 at openssh.com using cached key type ecdsa-sha2-nistp256 using cached key type

On Tue, 18 Jun 2024, Chris Rapier wrote: > Just curious, has this been tested at scale? I see that there are, by > default, a maximum number of hosts it can track (default of 64k it > seems). At that point I think one of two things happen - sshd stops > allowing all connections until some of the banned IPs age out (with > the exception of those IPs on an approved list) or it drops

https://bugzilla.mindrot.org/show_bug.cgi?id=3705 Bug ID: 3705 Summary: Disk space exhaustion from PerSourcePenalties logging Product: Portable OpenSSH Version: -current Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee:

https://bugzilla.mindrot.org/show_bug.cgi?id=3766 Bug ID: 3766 Summary: openssh PerSourcePenalties and pam_nologin interaction Product: Portable OpenSSH Version: 9.8p1 Hardware: ARM64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee:

Hi, A few people have requested rate-limiting for PerSourcePenalties logging. These patches add it. Please give them a try if you're interested in this feature. -d -------------- next part --------------

On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote: > I suppose in the next few days, I'll try reproducing my original > steps > with the new version and see what happens. I managed to do some limited testing with a local VM, and the results are... interesting. I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated Ubuntu Linux 24.04 LTS VM with 1 vCPU.

Dmitry Belyavskiy wrote: > May I ask you to explain whether I am wrong in my conclusions? I guess it's not clear what problem you are trying to solve. //Peter

On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote: > > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > > Portable OpenSSH won't be able to merge this. We explictly aim to support > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that > >

https://bugzilla.mindrot.org/show_bug.cgi?id=3289 Bug ID: 3289 Summary: Patch fixing the issues found by coverity scan Product: Portable OpenSSH Version: 8.5p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee: