Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

On 2016-08-08, Devin Teske wrote: > Which would you use? Ed25519. > Or perhaps RSA? (as des@ recommends) RSA if you need compatibility with servers or other clients that don't know Ed25519. That's why ssh-keygen, alas, still defaults to RSA. -- Christian "naddy" Weisgerber

Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

_cryptography#cite_note-31 >> <https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#cite_note-31>> >> suggesting a return to encryption based on non-elliptic-curve groups. >> "" >> Or perhaps RSA? (as des@ recommends) >> (not necessarily to Gle

Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

hy#cite_note-31> suggesting a return to encryption based on non-elliptic-curve groups. "" Or perhaps RSA? (as des@ recommends) (not necessarily to Glen but anyone that wants to answer) -- Devin On Aug 4, 2016, at 6:59 PM, Glen Barber wrote: -BEGIN PGP SIGNED MESSAGE----- Hash: SH

Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

The OpenSSH defaults are intentionally sane. RSA 2048 is anticipated to be fine for the next 10 years. It would not be a bad choice. I'm not aware of any reason not to use EC keys, and presumably the openssh authors wouldn't ship them as an option if they knew of any reason to believe

Re: [FreeBSD-Announce] HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

ly to Glen but anyone that wants to answer) -- Devin > On Aug 4, 2016, at 6:59 PM, Glen Barber wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, > and will be deprecated effective 11.0-RELEASE (

Re: HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

On Fri, Aug 05, 2016 at 01:59:18AM +, Glen Barber wrote: > This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, > and will be deprecated effective 11.0-RELEASE (and preceeding RCs). > Stupid editor mistake. OpenSSH DSA keys are deprecated upstream. Sorr

HEADS-UP: OpenSSH DSA keys are deprecated in 12.0 and 11.0

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This is a heads-up that OpenSSH keys are deprecated upstream by OpenSSH, and will be deprecated effective 11.0-RELEASE (and preceeding RCs). Please see r303716 for details on the relevant commit, but upstream no longer considers them secure

Re: OpenSSH changes between 10.2 and 10.3 ...

Hi, all, > Am 14.04.2016 um 12:20 schrieb Eugene Grosbein : > > It does change for me. And helps. Make double sure you have added > KexAlgorithms > to system wide defaults section of ssh_config and not after limiting "Host" > directive, > or similar. Thanks for that hint - much ado about nothi

Re: OpenSSH changes between 10.2 and 10.3 ...

oot@noc:/etc/ssh # uname -a > FreeBSD noc.pluspunkthosting.de 10.3-RELEASE FreeBSD 10.3-RELEASE #3: Wed Apr > 13 14:46:57 CEST 2016 > r...@noc.pluspunkthosting.de:/usr/obj/usr/src/sys/GENERIC amd64 > > Of course I was able to find http://www.openssh.com/legacy.html myself. >

Re: OpenSSH changes between 10.2 and 10.3 ...

/obj/usr/src/sys/GENERIC amd64 > > Of course I was able to find http://www.openssh.com/legacy.html myself. > > FreeBSD 10.2 uses OpenSSH 6.6.x while 10.3 imported 7.2. > So far so good. > > The recommended method from the document above works on the > command line: &

OpenSSH changes between 10.2 and 10.3 ...

-RELEASE #3: Wed Apr 13 14:46:57 CEST 2016 r...@noc.pluspunkthosting.de:/usr/obj/usr/src/sys/GENERIC amd64 Of course I was able to find http://www.openssh.com/legacy.html myself. FreeBSD 10.2 uses OpenSSH 6.6.x while 10.3 imported 7.2. So far so good. The recommended method from the document

Re: svn commit: r295367 - in stable/10: crypto/openssh crypto/openssh/contrib crypto/openssh/contrib/caldera crypto/openssh/contrib/cygwin crypto/openssh/contrib/redhat crypto/openssh/contrib/suse cry

On 3/3/2016 1:46 AM, Dag-Erling Smørgrav wrote: > Mike Tancsa writes: >> I noticed on a server that I updated on Friday that incorporates >> r295367, some lightweight clients that were using aes128-cbc are now >> failing to connect. Is this a planned change ? If so, perhaps a heads >> up in UPDAT

Re: svn commit: r295367 - in stable/10: crypto/openssh crypto/openssh/contrib crypto/openssh/contrib/caldera crypto/openssh/contrib/cygwin crypto/openssh/contrib/redhat crypto/openssh/contrib/suse cry

Mike Tancsa writes: > I noticed on a server that I updated on Friday that incorporates > r295367, some lightweight clients that were using aes128-cbc are now > failing to connect. Is this a planned change ? If so, perhaps a heads > up in UPDATING ? Please file a bug and send me the number. I wi

Re: svn commit: r295367 - in stable/10: crypto/openssh crypto/openssh/contrib crypto/openssh/contrib/caldera crypto/openssh/contrib/cygwin crypto/openssh/contrib/redhat crypto/openssh/contrib/suse cry

umentation > MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap > MFH (r294332): upgrade to openssh 6.8p1 > MFH (r294367): update pam_ssh for api changes > MFH (r294909): switch usedns back on > MFH (r294336): upgrade to openssh 6.9p1 > MFH (r294495): re-enable d

Re: HPN and None options in OpenSSH

On Sun, Jan 24, 2016 at 04:21:17PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > OK, what about tcsh, zsh, fish and scp/sftp? > > I apologize for trying to help you out by suggesting a hack that works > at least some of the time until I can get a permanent fix in. I should

Re: HPN and None options in OpenSSH

Slawa Olhovchenkov writes: > OK, what about tcsh, zsh, fish and scp/sftp? I apologize for trying to help you out by suggesting a hack that works at least some of the time until I can get a permanent fix in. I should instead have hopped in my time machine, jumped back a few years, and fixed the b

Re: HPN and None options in OpenSSH

On Sun, Jan 24, 2016 at 04:09:05PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > Dag-Erling Smørgrav writes: > > > In the meantime, you can try something like this in .bashrc or > > > whatever: > > Imposible. For accessing .bashrc on kerberoized NFS need correct > > /tmp/krb

Re: HPN and None options in OpenSSH

Slawa Olhovchenkov writes: > Dag-Erling Smørgrav writes: > > In the meantime, you can try something like this in .bashrc or > > whatever: > Imposible. For accessing .bashrc on kerberoized NFS need correct > /tmp/krb5cc_. /etc/profile, then. DES -- Dag-Erling Smørgrav - d...@des.no

Re: HPN and None options in OpenSSH

On Sun, Jan 24, 2016 at 03:50:45PM +0100, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > Can you do some small discurs about ssh+kerberos? > > I am try to use FreeBSD with $HOME over kerberoized NFS. > > For kerberoized NFS gssd need to find cache file "called > > /tmp/krb5cc_, where

Re: HPN and None options in OpenSSH

Slawa Olhovchenkov writes: > Can you do some small discurs about ssh+kerberos? > I am try to use FreeBSD with $HOME over kerberoized NFS. > For kerberoized NFS gssd need to find cache file "called > /tmp/krb5cc_, where is the effective uid for the RPC > caller" (from `man gssd`). > > sshd contrar

Re: HPN and None options in OpenSSH

On Fri, Jan 22, 2016 at 03:31:22PM +0100, Dag-Erling Smørgrav wrote: > The HPN and None cipher patches have been removed from FreeBSD-CURRENT. > I intend to remove them from FreeBSD-STABLE this weekend. Can you do some small discurs about ssh+kerberos? I am try to use FreeBSD with $HOME over kerb

Re: HPN and None options in OpenSSH

On 01/23/16 09:15, Kevin Oberman wrote: > Are you sure of this? I have not looked at the code, but my former > colleagues at the high performance research network ESnet claim at > http://fasterdata.es.net/data-transfer-tools/say-no-to-scp/ that the > internal buffers and effective window size hav

Re: HPN and None options in OpenSSH

Kevin Oberman writes: > Dag-Erling Smørgrav writes: > > Julian Elischer writes: > > > what is the internal window size in the new ssh? > > 64 kB. > Are you sure of this? Sorry, I was thinking of 6.6 (in stable/10). The buffer code in 7.1 supports dynamically-sized buffers with a hard limit of

Re: HPN and None options in OpenSSH

On Sat, Jan 23, 2016 at 7:55 AM, Dag-Erling Smørgrav wrote: > Julian Elischer writes: > > what is the internal window size in the new ssh? > > 64 kB. > > DES > -- > Dag-Erling Smørgrav - d...@des.no Are you sure of this? I have not looked at the code, but my former colleagues at the high perfo

Re: HPN and None options in OpenSSH

Julian Elischer writes: > what is the internal window size in the new ssh? 64 kB. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any m

Re: HPN and None options in OpenSSH

former will be accepted with a warning, whereas the latter will result in an error. Most users will not be affected by this change. Those who are should switch to the openssh-portable port, which still offers both patches, with HPN enabled by default. It is expected that FreeBSD 10.3 will ship

HPN and None options in OpenSSH

latter will result in an error. Most users will not be affected by this change. Those who are should switch to the openssh-portable port, which still offers both patches, with HPN enabled by default. It is expected that FreeBSD 10.3 will ship with OpenSSH 7.1p2, with a number of modifications

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Mike Tancsa writes: > For the archives, this is fixed in > http://lists.freebsd.org/pipermail/svn-src-head/2013-May/047921.html Fixed in head, but not stable/9 yet. I'll pull 6.2p2 from head to stable/9 later this week. DES -- Dag-Erling Smørgrav - d...@des.no _

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

On 3/1/2013 11:35 AM, Mike Tancsa wrote: > On 2/28/2013 1:43 PM, Dag-Erling Smørgrav wrote: >> Author: des >> Date: Thu Feb 28 18:43:50 2013 >> New Revision: 247485 >> URL: http://svnweb.freebsd.org/changeset/base/247485 >> >> Log: >> Pull in OpenSS

Re: OpenSSH in -STABLE

wrote: > Hi. Are there any plans to get OpenSSH 6.2 in 9-STABLE? I'd like to > check out the new AES-GCM stuff without going to -CURRENT on this > system. If there are no plans, is there a possibility? Thanks The OpenSSL version in 9-STABLE doesn't have GCM support. -

Re: OpenSSH in -STABLE

usa...@hushmail.com writes: > Hi. Are there any plans to get OpenSSH 6.2 in 9-STABLE? I'd like to > check out the new AES-GCM stuff without going to -CURRENT on this > system. If there are no plans, is there a possibility? Thanks Use the port. DES -- Dag-Erling Smørgrav

Re: OpenSSH in -STABLE

09:42:39PM -0400, usa...@hushmail.com > >wrote: > >> Hi. Are there any plans to get OpenSSH 6.2 in 9-STABLE? I'd like > >to > >> check out the new AES-GCM stuff without going to -CURRENT on > >this > >> system. If there are no plans, is there a possibility? Than

Re: OpenSSH in -STABLE

On Tue, May 21, 2013 at 08:11:09PM -0700, Jeremy Chadwick wrote: > ... 6.2p2 was imported to head/CURRENT on May 22nd ... Typo on my part: this should have read May 17th, as is obvious from svnweb. -- | Jeremy Chadwick j...@koitsu.org | | UNIX Systems Administra

Re: OpenSSH in -STABLE

On Tue, May 21, 2013 at 11:02:27PM -0400, usa...@hushmail.com wrote: > On Tue, 21 May 2013 22:20:08 -0400 "David Wolfskill" > wrote: > >On Tue, May 21, 2013 at 09:42:39PM -0400, usa...@hushmail.com > >wrote: > >> Hi. Are there any plans to get OpenSSH 6.2 in

Re: OpenSSH in -STABLE

On Tue, 21 May 2013 22:20:08 -0400 "David Wolfskill" wrote: >On Tue, May 21, 2013 at 09:42:39PM -0400, usa...@hushmail.com >wrote: >> Hi. Are there any plans to get OpenSSH 6.2 in 9-STABLE? I'd like >to >> check out the new AES-GCM stuff without going to -C

Re: OpenSSH in -STABLE

On Tue, May 21, 2013 at 09:42:39PM -0400, usa...@hushmail.com wrote: > Hi. Are there any plans to get OpenSSH 6.2 in 9-STABLE? I'd like to > check out the new AES-GCM stuff without going to -CURRENT on this > system. If there are no plans, is there a possibility? Thanks >

OpenSSH in -STABLE

Hi. Are there any plans to get OpenSSH 6.2 in 9-STABLE? I'd like to check out the new AES-GCM stuff without going to -CURRENT on this system. If there are no plans, is there a possibility? Thanks ___ freebsd-stable@freebsd.org mailing list

Re: Login failures usefulness with OpenSSH 6.1

Jason Hellenthal writes: > I used to get username and IP address in the output but it seems that > the logging format has changed. Instead of one line the log format now > has two lines. One like the ones below and then another coinciding > line that contains IP address and username. It will be m

Login failures usefulness with OpenSSH 6.1

Hello everyone, It seems that the login failures reported by the security output of a nightly periodic job has become somewhat useless per OpenSSH 6.1. I used to get username and IP address in the output but it seems that the logging format has changed. Instead of one line the log format now

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

On Sat, 2013-03-02 at 17:02 +0100, Dag-Erling Smørgrav wrote: > Mike Tancsa writes: > > The pcaps and basic wireshark output at > > > > http://tancsa.com/openssh/ > > This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs > 5.8, both with aesni load

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Dag-Erling Smørgrav writes: > This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs > 5.8, both with aesni loaded. On second thought, I don't need more pcaps. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-stable@freebsd.org mail

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

On 3/2/2013 11:02 AM, Dag-Erling Smørgrav wrote: > Mike Tancsa writes: >> The pcaps and basic wireshark output at >> >> http://tancsa.com/openssh/ > > This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs > 5.8, both with aesni loaded. Ahh, o

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Mike Tancsa writes: > The pcaps and basic wireshark output at > > http://tancsa.com/openssh/ This is 6.1 with aesni vs 6.1 without aesni; what I wanted was 6.1 vs 5.8, both with aesni loaded. Could you also ktrace the server in both cases? An easy workaround is to change the list o

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

river, not the aesni driver. Also, if at was aesni, would it not show up in the geli tests I did ? > > Can you ktrace sshd in both cases? My guess is the difference is that > the new version uses hw offloading while the old version doesn't. Done. Both files are at http:

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Mike Tancsa writes: > This PR looks to be related > > http://lists.freebsd.org/pipermail/freebsd-bugs/2012-September/050139.html That suggests a bug in the aesni driver... Can you ktrace sshd in both cases? My guess is the difference is that the new version uses hw offloading while the old vers

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

On 3/1/2013 10:06 PM, Mike Tancsa wrote: > On 3/1/2013 3:34 PM, Dag-Erling Smørgrav wrote: >> Mike Tancsa writes: >>> Dag-Erling Smørgrav writes: >>>> Are you sure this was due to the OpenSSH update, and not the OpenSSL >>>> update a few days ago?

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

On 3/1/2013 3:34 PM, Dag-Erling Smørgrav wrote: > Mike Tancsa writes: >> Dag-Erling Smørgrav writes: >>> Are you sure this was due to the OpenSSH update, and not the OpenSSL >>> update a few days ago? Can you try to roll back to r247484? >> I didnt thin

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Mike Tancsa writes: > Dag-Erling Smørgrav writes: > > Are you sure this was due to the OpenSSH update, and not the OpenSSL > > update a few days ago? Can you try to roll back to r247484? > I didnt think openssl got updated on RELENG_9 ? Ah, you're right. There is an Ope

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

ou sure this was due to the OpenSSH update, and not the OpenSSL > update a few days ago? Can you try to roll back to r247484? I didnt think openssl got updated on RELENG_9 ? http://svnweb.freebsd.org/base?view=revision&revision=247484 ---Mike > > DES -- ---

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

Mike Tancsa writes: > OK, so it looks like something to do with hardware crypto. If I unload > aesni.ko and restart sshd, it works, even with aes128-cbc which I guess > it was trying to use cryptodev Are you sure this was due to the OpenSSH update, and not the OpenSSL update a few days

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

On 3/1/2013 11:35 AM, Mike Tancsa wrote: > On 2/28/2013 1:43 PM, Dag-Erling Smørgrav wrote: >> Author: des >> Date: Thu Feb 28 18:43:50 2013 >> New Revision: 247485 >> URL: http://svnweb.freebsd.org/changeset/base/247485 >> >> Log: >> Pull in OpenSS

Re: svn commit: r247485 - in stable/9: crypto/openssh crypto/openssh/openbsd-compat secure/lib/libssh secure/usr.sbin/sshd

On 2/28/2013 1:43 PM, Dag-Erling Smørgrav wrote: > Author: des > Date: Thu Feb 28 18:43:50 2013 > New Revision: 247485 > URL: http://svnweb.freebsd.org/changeset/base/247485 > > Log: > Pull in OpenSSH 6.1 from head. Hi, I updated a box to RELENG_9 with this change

Re: MFC openssh fix versionaddendum?

On 2/11/2013 6:05 AM, Ruben de Groot wrote: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=163843 > > The fix was committed to -current, but in 9.1 it's still not working. > > cheersRuben I plan to also add this back into the security/openssh-portable port soon. --

MFC openssh fix versionaddendum?

http://www.freebsd.org/cgi/query-pr.cgi?pr=163843 The fix was committed to -current, but in 9.1 it's still not working. cheersRuben ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, sen

Re: r228152: anyone got the None cipher working with base OpenSSH?

On Fri, Dec 02, 2011 at 02:57:48PM -0800, Freddie Cash wrote: > What am I missing? What's the magic incantation to add the None cipher to > base ssh? Follow-up to this situation: I've submit a PR to have this addressed, which includes a patch (only tested on RELENG_8 at this point) that adds the

Re: r228152: anyone got the None cipher working with base OpenSSH?

On Fri, Dec 2, 2011 at 3:32 PM, Jeremy Chadwick wrote: > On Fri, Dec 02, 2011 at 02:57:48PM -0800, Freddie Cash wrote: > > Looking through the commit messages for stable/8 and stable/9 I noticed > > that the HPN patches were applied to OpenSSH in the base install. And > >

Re: r228152: anyone got the None cipher working with base OpenSSH?

On Fri, Dec 02, 2011 at 05:51:03PM -0600, Adam Vande More wrote: > On Fri, Dec 2, 2011 at 5:39 PM, Jeremy Chadwick > wrote: > > > If the WARNING message that is output to stderr > > bothers you, use -T. > > > > This says -T disables the NONE cipher: > > http://www.psc.edu/networking/projects/h

Re: r228152: anyone got the None cipher working with base OpenSSH?

On Fri, Dec 2, 2011 at 5:39 PM, Jeremy Chadwick wrote: > If the WARNING message that is output to stderr > bothers you, use -T. > This says -T disables the NONE cipher: http://www.psc.edu/networking/projects/hpn-ssh/none.php I haven't looked at current patches so maybe doesn't apply. -- Adam

Re: r228152: anyone got the None cipher working with base OpenSSH?

nd there are *multiple* -o switches you will need > to use with the client (e.g. ssh -oCipher=none -oNoneEnabled=yes > -oNoneSwitch=yes). If the WARNING message that is output to stderr > bothers you, use -T. > Yeah, I've gone over all that. We've been using the HPN patches an

Re: r228152: anyone got the None cipher working with base OpenSSH?

On Fri, Dec 02, 2011 at 03:32:20PM -0800, Jeremy Chadwick wrote: > There are multiple places where this needs to get defined for it to > work. Sorry I should be more clear (I woke up ~15 minutes ago). I'm referring to the fact that OpenSSH build points in FreeBSD are ""scat

Re: r228152: anyone got the None cipher working with base OpenSSH?

On 2. Dec 2011, at 22:57 , Freddie Cash wrote: > Looking through the commit messages for stable/8 and stable/9 I noticed > that the HPN patches were applied to OpenSSH in the base install. And > reading through the commit messages I see that one has to manually enable > the

Re: r228152: anyone got the None cipher working with base OpenSSH?

On Fri, Dec 02, 2011 at 02:57:48PM -0800, Freddie Cash wrote: > Looking through the commit messages for stable/8 and stable/9 I noticed > that the HPN patches were applied to OpenSSH in the base install. And > reading through the commit messages I see that one has to manually enable &

r228152: anyone got the None cipher working with base OpenSSH?

Looking through the commit messages for stable/8 and stable/9 I noticed that the HPN patches were applied to OpenSSH in the base install. And reading through the commit messages I see that one has to manually enable the None cipher. However, I cannot, for the life of me, figure out how to do

Re: OpenSSH 5.4 bug fixed in 5.5

Or install the version from ports and deactivate the base version... On 2010-05-12 10:42:00PM +0200, Matthieu Michaud wrote: > I would like to share a solution of a problem I faced with the current > version of OpenSSH in 8-STABLE (5.4p1). > > Last upgrade of my system updated

OpenSSH 5.4 bug fixed in 5.5

I would like to share a solution of a problem I faced with the current version of OpenSSH in 8-STABLE (5.4p1). Last upgrade of my system updated OpenSSH from 5.2p1 to 5.4p1 which has a regression for those using a non-default AuthorizedKeysFile option set to a relative path (".ssh/keys&q

Re: openssh concerns

Daniel Roethlisberger wrote: > If your situation allows running pf, then there's an alternative > method: bind sshd normally to port 22, but use pf to deny direct > connections to port 22, redirecting connections to some high port > X to port 22 using a `rdr pass' rule. You can even make > e

Re: openssh concerns

Robert Watson 2009-10-11: > On Thu, 8 Oct 2009, Oliver Fromme wrote: > >Are you sure? The majority of BSD machines in my vicinity > >have multiple accounts. > > > >And even if there's only one account, there is no reason to be > >careless with potential port-takeover risks. > > > >Therefore I adv

Re: openssh concerns

On Thu, 8 Oct 2009, Oliver Fromme wrote: Are you sure? The majority of BSD machines in my vicinity have multiple accounts. And even if there's only one account, there is no reason to be careless with potential port-takeover risks. Therefore I advise against running critical daemons on unp

Re: openssh concerns

Quoting Doug Barton : Oliver Fromme wrote: There are shell machines with lots of user accounts, none of which have administrative control of the system. Sure there are, but they make up only a tiny fraction of the systems on the network today. wow Doug -- Improve the effective

Re: openssh concerns

Doug Barton wrote: > Oliver Fromme wrote: > > There are shell machines with lots of user accounts, none > > of which have administrative control of the system. > > Sure there are, but they make up only a tiny fraction of the systems > on the network today. Are you sure? The majority of BSD

Re: openssh concerns

On Fri, Oct 9, 2009 at 12:22 AM, Doug Barton wrote: > Oliver Fromme wrote: >> There are shell machines with lots of user accounts, none >> of which have administrative control of the system. > > Sure there are, but they make up only a tiny fraction of the systems > on the network today. > > share

Re: openssh concerns

Oliver Fromme wrote: > There are shell machines with lots of user accounts, none > of which have administrative control of the system. Sure there are, but they make up only a tiny fraction of the systems on the network today. Doug -- Improve the effectiveness of your Internet presence

Re: openssh concerns

> Doug Barton wrote: > > Daniel Bond wrote: > > > However, I'm concerned about the suggestion of using an > > > unprivileged port > > > > Please explain your reasoning, and how it's relevant in a world where > > the vast majority of Internet users have complete administrative > > control o

Re: openssh concerns

Hi. I explained my opinion quite well (imo) a bit further down in my previous email. I'm not sure what to answer. I don't necessarily think it's relevant for every computer running sshd. I see a tendency to change sshd port to 2022 and other port numbers. I'm not sure everyone doing it is

Re: Upgrade OpenSSH in 6.3 and 7.0 RELENG

* Erik Stian Tefre [2009-06-17 12:34]: > Jordi Espasa Clofent wrote: > > ¿How can I upgrade the OpenSSH in the _same_ RELENG? ¿Maybe using the > > ports? > > portsnap fetch update > cd /usr/ports/security/openssh-portable/ > make install clean > /etc/rc.d/sshd stop

Re: Upgrade OpenSSH in 6.3 and 7.0 RELENG

Jordi Espasa Clofent wrote: > I need to upgrade the OpenSSH from the shiped 4.5p1 versions in 6.x and > 7.x branches to 4.5p2 or higher(1). [...] > ¿How can I upgrade the OpenSSH in the _same_ RELENG? ¿Maybe using the > ports? portsnap fetch update cd /usr/ports/security/openssh-po

Upgrade OpenSSH in 6.3 and 7.0 RELENG

Hello folks, I need to upgrade the OpenSSH from the shiped 4.5p1 versions in 6.x and 7.x branches to 4.5p2 or higher(1). I've updated the source tree in 6.3 and 7.0 RELENG boxes with a system upgrade in mind, but the version is 4.5p1: # cat /usr/src/crypto/openssh/version.h | gr

OpenSSH error: error: key_read: uudecode failed FreeBSD_7 stable

ey say this was fixed in OpenSSH 4.7. - that URL is the latest report of the problem. I'm running a much later version: sshd: OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 Can anyone help me with a fix/workaround? thanks -- John __

Re: OpenSSH 4.6 error: channel 0: chan_read_failed for istate 3

On Mar 20, 2007, at 16:04 , Dominik Zalewski wrote: Hi All, After upgrading to openssh-portable-4.6.p1,1 I'm getting following messages in logs: error: channel 0: chan_read_failed for istate 3 Althought ssh works fine. Hi, just wan't to report that I've started to see

Re: OpenSSH 4.6 error: channel 0: chan_read_failed for istate 3

On 20/03/07, Dominik Zalewski <[EMAIL PROTECTED]> wrote: Hi All, After upgrading to openssh-portable-4.6.p1,1 I'm getting following messages in logs: error: channel 0: chan_read_failed for istate 3 I guess you're either using scp or ssh to execute remote commands? We've

OpenSSH 4.6 error: channel 0: chan_read_failed for istate 3

Hi All, After upgrading to openssh-portable-4.6.p1,1 I'm getting following messages in logs: error: channel 0: chan_read_failed for istate 3 Althought ssh works fine. Any ides? Thank you in advance, Dominik ___ freebsd-stable@freebs

Re: buildworld fails in openssh

patch applied to stable and build. both worked fine. thank you randy ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: buildworld fails in openssh

On Mon, Oct 09, 2006 at 07:12:28AM -1000, Randy Bush wrote: > >Please double-check if this is really a problem with -current, and not > >with -stable. Afaik, -current is not affected. > > doh. with eight -current systems and one -stable, my mind is stuck in > -current. but indeed, this was in -

OpenSSH does not honour WITHOUT_KERBEROS

Building OpenSSH (as part of buildworld) from a RELENG_6 tree (RELENG_5 works fine from memory) results in binaries linked against the Kerberos libraries, even when NO_KERBEROS is set in make.conf. Although these libraries exist in the host environment, they do not in the target environment

MIT Kerberos and OpenSSH

Howdie, Is there a way to get the default BSD 5.3 openssh to compile against the MIT kerberos libraries? I have set NO_KERBEROS=yes in /etc/make.conf so that the heimdal kerberos is not built, and rebuilt world, then installed /usr/ports/security/krb5 and rebuilt world again. sshd is however

Problems with pam_ssh(8) and ssh-agent(1) after the OpenSSH upgrade

As some of you have already noticed and reported, ssh-agent doesn't work quite right when spawned by pam_ssh after the OpenSSH upgrade earlier this week. This is caused by two factors. The first factor is that ssh-agent has become quite pedantic about its operating conditions, in an effo

More odd login failures on RELENG-4.6 (OpenSSH)

And If I fail a login the > first time, it seems harder to pass it the second time (the ~20% > failure rate goes up to maybe 50%). I've experienced some anomalous login failures with SSH (OpenSSH 3.4 from the latest /usr/ports) on a box that was upgraded this weekend to 4.6. I don

OpenSSH 3.4p1

Hi... I noticed that upgrade of the version of the OpenSSH for 3.4p1 was made one when cvs for RELENG_4 is made. It adds a new user and a new group with the name of sshd. Which would be the function of it? To twirl sshd with the user sshd instead of the user root? Case is because for default it

OpenSSH 3.4p1

Hi... I noticed that upgrade of the version of the OpenSSH for 3.4p1 was made one when cvs for RELENG_4 is made. It adds a new user and a new group with the name of sshd. Which would be the funcão of it? To twirl sshd with the user sshd instead of the user root? Case is because for default it

OpenSSH 3.4p1 problem (sshd).

When I'm logging to my box I get the following messages: Jul 7 18:20:51 encumbered sshd[50946]: Accepted keyboard-interactive/pam for erph from 192.168.0.11 port 1143 ssh2 Jul 7 18:20:51 encumbered sshd[50948]: getting vmemoryuse resource limit: Invalid argument Tested with default configura

Re: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1

tion box. DES said on this list that he does not plan to do this because the commit is massive and 4.6 is not vulnerable to this bug. 4.6 users should consider using the openssh ports if they desire to run 3.4. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. PGP

Re: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1

On Fri, Jul 05, 2002 at 10:27:34AM +0200, Dag-Erling Smorgrav wrote: > Ruslan Ermilov <[EMAIL PROTECTED]> writes: > > The default of "Protocol 1,2" in -STABLE's /etc/ssh/ssh_config > > was lost in this merge. Was this intentional? > > Yes-and-no. I never liked the old default, but didn't consci

Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1]

[moving from -stable to -security, bcc: to -stable and security-team] Mike Tancsa <[EMAIL PROTECTED]> writes: > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > time to make the 2,1 the default instead ? I'd like that. I think the only reason for the old d

Re: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1

As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good time to make the 2,1 the default instead ? ---Mike At 10:27 AM 7/5/2002 +0200, Dag-Erling Smorgrav wrote: >Ruslan Ermilov <[EMAIL PROTECTED]> writes: > > The default of "Protocol 1,2" in -STA

Re: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1

Peter Avalos <[EMAIL PROTECTED]> writes: > Since this turned off by default in FreeBSD, I think the man page > should be changed as well: Fixed, thanks. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body o

HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1

I finished the upgrade a little over an hour ago, and my post-commit buildworld just completed. It should now be safe to upgrade. Privilege separation is turned off by default, because it breaks Kerberos ticket passing. If you don't use ticket passing, or don't know what Kerberos is, it should

Typo in Makefile for OpenSSH 3.1

Hi, There is a typo in the post-install script that generates keys if none are found. # $FreeBSD: ports/security/openssh/Makefile,v 1.82 2002/03/08 05:54:03 dinoex Exp $ post-install: .if !defined(BATCH) .if !exists(${PREFIX}/etc/ssh_host_key) @${ECHO_MSG} ">> Ge

Re: openssh root hole?

Lauri Laupmaa wrote: > > As I just read from http://www.pine.nl/advisories/pine-cert-20020301.txt > OpenSSH All versions between 2.0 and 3.0.2 have local root hole. > Is it fixed in -STABLE or is it issue at all? I just cvsup'ed -STABLE and the announced fix was already ap

Re: openssh root hole?

On Thu, Mar 07, 2002 at 05:16:28PM +0200, Lauri Laupmaa wrote: > Hi > > As I just read from http://www.pine.nl/advisories/pine-cert-20020301.txt > > OpenSSH All versions between 2.0 and 3.0.2 have local root hole. > > Is it fixed in -STABLE or is it issue at all? >

openssh root hole?

Hi As I just read from http://www.pine.nl/advisories/pine-cert-20020301.txt OpenSSH All versions between 2.0 and 3.0.2 have local root hole. Is it fixed in -STABLE or is it issue at all? -- L. _\|/_ /|minut.ee To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubs

  1   2   >