https://groups.google.com/d/forum/comp.security.sshcomp.security.sshSSH secure remote login and tunneling tools.Google GroupsSimon Tatham2015-07-25T11:08:47Zhttps://groups.google.com/d/topic/comp.security.ssh/c9t7xS5gHfgPuTTY 0.65 is releasedPuTTY version 0.65 is released ------------------------------ All the pre-built binaries, and the source code, are now available from the PuTTY website at http://www.chiark.greenend.org.uk/~sgtatham/putty/ 0.65 is a bug-fix release, with no significant new features over 0.64. (InJeff Arthur2015-07-23T15:00:31Zhttps://groups.google.com/d/topic/comp.security.ssh/7CwmG_yh9EEPAM_TEXT_INFO and PAM_ERROR_MSG with sshHi, I can only assume there is a very good reason why PAM messages of the above classes only get output by SSH AFTER the PAM auth stack has been finalized. I have found discussion of this topic all the way back to 2004. PAM_PROMPT_ECHO_OFF and PAM_PROMPT_ECHO_ON both work as advertised withRS Wood2015-07-15T07:36:26Zhttps://groups.google.com/d/topic/comp.security.ssh/nddBd5vNLjk[CM] POODLE has friends - a look at other vulnsFrom the «down, boy. sit.» department: Title: The POODLE has friends Author: Date: Tue, 14 Jul 2015 14:58:05 -0400 Link: https://vivaldi.net/en-US/blogs/entry/the-poodle-has-friends Comments Links: : https://news.ycombinator.com/item?id=9887231 (link) -- Posting to comp.misc,David Liontooth2015-07-13T20:59:53Zhttps://groups.google.com/d/topic/comp.security.ssh/-uTiFL97luACan another user own authorized_keys?On a server I administer, I trust user peter, and put him in charge of maintaining paul's authorized_keys: :/home/paul/.ssh# l total 24 -rw-r--r-- 1 peter peter 10467 Jul 11 01:55 authorized_keys ssh protests, "Authentication refused: bad ownership or modes for file /home/paul/.ssh/authorizeoldra...@gmail.com2015-07-09T23:08:03Zhttps://groups.google.com/d/topic/comp.security.ssh/y0pjt8DBzDoPuTTY Telnet and PlinkI can successfully run a Telnet connection using the PuTTY GUI with the Host Name 10.1.0.102, Port 4001, and Connection type set to Telnet. The response to queries like frq? and tmp? are immediate. But if I put frq? and tmp? in a script.txt file and run Plink.exe for example: plink.exeBen Harris2015-06-28T17:30:38Zhttps://groups.google.com/d/topic/comp.security.ssh/2NgOVIZvEz4Regularising ssh-ed25519I've written an Internet-Draft describing how to use Ed25519 in SSH and formally allocating the name "ssh-ed25519" for it: https://datatracker.ietf.org/doc/draft-bjh21-ssh-ed25519/ The primary purpose of this is to regularise the use of that name by implementations. I'd like to know whatraint...@gmail.com2015-06-22T10:43:40Zhttps://groups.google.com/d/topic/comp.security.ssh/jiOv-Av98TQrecover "currently used" sshd_config file from running sshd processHi My sshd_config file has been hosed. I know if I send sshd a SIGHUP it will re-read it. But first I need to re-create the config file. Sadly the backup that would have included the "valid" sshd_config has expired. The system has been up some considerable time .... Is there a(ny) way?user12015-05-09T17:01:21Zhttps://groups.google.com/d/topic/comp.security.ssh/lAjMTqa52TkArticle: Clearmanage to monitor encrypted channels with SSH Communications SecurityClearmanage to monitor encrypted channels with SSH Communications Security URL: http://www.reuters.com/article/2015/04/14/idUSFWN0XB01Q20150414user12015-05-09T17:00:28Zhttps://groups.google.com/d/topic/comp.security.ssh/iJnllrTSmQgArticle: SSH Communications Security partners with Fujitsu SSLSSH Communications Security partners with Fujitsu SSL URL: http://www.reuters.com/article/2015/04/13/idUSFWN0X80TC20150413William Unruh2015-05-07T19:44:04Zhttps://groups.google.com/d/topic/comp.security.ssh/B7mF4c-eu90How to determine the state of an ssh tunnel?I have a tunnel set up by autossh from machine A to machine B. It works well. However, on machine B I would like to know the state of that tunnel. For example when A is shut off, often I can still ssh to it, in the sense that trying ssh localhost -p 9444 sits there with no return for a longJFisher2015-04-30T15:08:46Zhttps://groups.google.com/d/topic/comp.security.ssh/K27wA_f3Y0APLink compatibilityI have a client that needs a dual authentication connection. They are currently using Juno Pulse, but it is too restrictive for our needs. PLink allows us to create a much smaller tunnel, that does not restrict local area network connectivity. But, for the dual authentication, our customerJez2015-04-21T01:50:25Zhttps://groups.google.com/d/topic/comp.security.ssh/EUW63Tj90BIPuTTY local proxy command, reverse tunnel brokenHi I don't think this is expected behaviour - at least it doesn't seem to me to be very useful. I'm using PuTTY v0.64 on Win7 32-bit. I've setup a proxy command to connect to a remote server. When I setup a reverse tunnel, I would expect that a connection to the remote tunnel port wouldcrevitch2015-04-11T03:58:59Zhttps://groups.google.com/d/topic/comp.security.ssh/GaxqPfpJVX4question about TLS cryptosuite and x.509 fieldsI am trying to understand the relationship between parameters in the tls cryptosuite and fields in x.509. from rfc3279 (x.509) -Signature Algorithms (section 2.2) -Subject Public Key Algorithms (section 2.3) From TLS cryptosuite: -key exchange algorithms -authentication algorithmsRamon F Herrera2015-04-04T03:54:54Zhttps://groups.google.com/d/topic/comp.security.ssh/QbqsDfl4aHwI bet some folks out here are familiar with Google Authentication?After a long search, I located what appears to be the solution to my problem. I am trying to copy files between "Google Storage" (and/or "Google Drive) and Linux, using CLI. Found CyberDuck: https://cyberduck.io/ This is the command that I have to type (I am guessing!): % duck -lPatrick Byrne2015-03-15T16:29:51Zhttps://groups.google.com/d/topic/comp.security.ssh/cKfitHMBNjstcp resets sent without apparent reason?Hi, I use putty & winscp to connect from my windows laptop to a debian server in my home. Several weeks ago I started getting frequent problems where the connection was reset. My putty session would die every couple of minutes with 'network error caused software abort' or 'network connectionPeng Yu2015-03-13T14:01:10Zhttps://groups.google.com/d/topic/comp.security.ssh/nTJdHAPrlqsWhere is SSH_CLIENT documented?Hi, I see SSH_CLIENT mentioned here. http://en.wikibooks.org/wiki/OpenSSH/Client_Applications But I don't find where it is documented in the ssh manpage. Does anybody know where it is in the official document of ssh? Thanks. Regards, Pengpigeo...@googlemail.com2015-03-12T17:41:13Zhttps://groups.google.com/d/topic/comp.security.ssh/Y_QSErgqvVUCan we connect to any remote open portswhen we use nmap or netcat e.g. to scan remote computers, knowing some ports are open for instance 80, ftp, 8080, ssh and so on. Can we login in to any remote ports? If we find an remote open port with number 4567, can we remote to that comouter? If I find remote open port, which has noJohn Lammers2015-03-10T21:53:42Zhttps://groups.google.com/d/topic/comp.security.ssh/v_3lkjIhKKASSH public key auth failures after Mac upgradeSome help from an OpenSSH wizard would be much appreciated. I've provided config info and logs. Let me know if you need any other info. --- Synopsis --- Public key authentication doesn't work from my new MacBook Pro (running 10.10) to the VMs at one of our sites. It worked (and stillDavid Tabernero2015-03-01T10:23:48Zhttps://groups.google.com/d/topic/comp.security.ssh/Dr5S5cTzp4Qenvironment variableHi, I'm trying to pass a environment variable with putty in my session but don't works. I've created in the dialog box environment variable and I have PermitUserEnvironment to yes in sshd config but when I log in I do echo $variable and don't show nothing. Could you help me please? Many thanksSimon Tatham2015-02-28T09:14:04Zhttps://groups.google.com/d/topic/comp.security.ssh/L0DFwBERfacPuTTY 0.64 is releasedPuTTY version 0.64 is released ------------------------------ All the pre-built binaries, and the source code, are now available from the PuTTY website at http://www.chiark.greenend.org.uk/~sgtatham/putty/ This is a SECURITY UPDATE. We recommend that everybody who uses SSH private keysNico Kadel-Garcia2015-02-19T02:41:03Zhttps://groups.google.com/d/topic/comp.security.ssh/OQoFxZHBSHIgithub.com deploy keis for individual products on a jenkins or gforge serverHi, folks! It's been years since I was active on comp.security.ssh: I still do backports of OpenSSH builds for current RHEL builds over at https://github.com/nkadel/nkadel-openssh-portable, and I've more recently published a new chroot cage building kit for rssh over at https://github.com/nkadphilip...@gmail.com2015-02-04T13:35:42Zhttps://groups.google.com/d/topic/comp.security.ssh/x2cKJDRaIxYPros and Cons of using sftp-server as shell vs other methods of restricting interactive login ?Please advise on the pros and cons of using sftp-server as a shell. Chiefly is there a downside or negative security implication of using sftp-server as a user shell to restrict access to sftp and prohibit interactive login ? The idea has been floated that we may restrict access to sftp andWilliam Unruh2015-01-13T21:35:18Zhttps://groups.google.com/d/topic/comp.security.ssh/6_3ox_5DjDwssh tunnel misbehaving.I am setting up an ssh tunnel from one machine (let me call it A) to antoher machine B. On A I run autossh autossh -M0 -R 8022:localhost:22 B The connection appears to be made (autossh keeps running, and one does not get repeated reconnections). On B it seems as though there is some sort ofWilliam Unruh2014-12-27T23:17:12Zhttps://groups.google.com/d/topic/comp.security.ssh/5dlZh4CkXvEsshd dies if wrong line in /etc/ssh/sshd_configI have a couple of invalid lines in my /etc/ssh/sshd_config file. (in one a bad script inserted a s= line into that file, and in another a Match Address list was preceeded by a comma (Match Address ,188.8.131.52,.. In both cases ssh d refuese to start, leaving me with no way into thoseWilliam Unruh2014-12-26T08:05:20Zhttps://groups.google.com/d/topic/comp.security.ssh/PyFpq8kldzkInadequate replacement for tcpwrapperopenssh has gotten rid of tcpwrapper. The claim seems to be that Match Address is an adequate replacement for hosts.allow In at least one are it is not. Hosts.allow reads the permissionf from top to bottom, and the first line that matches is the operative line. Thus one could have sshd:William Unruh2014-12-25T19:44:41Zhttps://groups.google.com/d/topic/comp.security.ssh/K6CWrN33tasLimit to Match Address Line?Now that openssh has stopped supporting hosts.allow, is there any limit to the number of addresses or characters in a Match Address line in /etc/ssh/sshd_config? There is a limit to the line length in a hosts.allow line. (Otherwise tcpwrappers goes into an eternal loop-a bug Venema refused toNeil Carlson2014-12-24T19:17:40Zhttps://groups.google.com/d/topic/comp.security.ssh/nzrRDSS6694ssh hang well before authentication (wireless ISP)I recently switched to a wireless ISP provider and find I am unable now to establish outbound ssh connections. Here is the output of 'ssh -vvv': OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 51: ApplyingDick2014-12-24T01:34:37Zhttps://groups.google.com/d/topic/comp.security.ssh/wsXTrgQLKd8Strange SSH BehaviorI have an Ubuntu server running 14.04.1 LTS. I also have several Windows machines running Putty. They all work exactly as expected. I recently loaded a Dell E6400 laptop with Ubuntu desktop 14.04.1 LTS. I have all my machines using RSA certificates. The odd thing that I have noticed is whenandyw...@gmail.com2014-12-19T10:21:24Zhttps://groups.google.com/d/topic/comp.security.ssh/87HFR_jAW9MTectia SSH only one forwarded sessionHello All, We use Tectia SSH to access the DMZ machines (Solaris 10). Authentication uses pkcs#11 cert on smartcard in the local Windows PC. First login goes to so-called "jumphost", from where another SSH session is made to the destination server in DMZ. While I can open as many session as Inos...@notreal.com2014-12-10T03:02:15Zhttps://groups.google.com/d/topic/comp.security.ssh/HaJ9OGIzBE8SSH Bad Packet Length - Key Exchange ????I am trying to connect to a device that appears to have SSH installed on it. However, when I try to make a connection to it using Putty, it hangs and then aborts with no output shown on the screen. When I try to connect to it from a Linux box using SSH at the command line, it fails as aDanT2014-12-07T22:37:09Zhttps://groups.google.com/d/topic/comp.security.ssh/euposlqK8Hgchaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/I have sshd server sshd -V ... OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 ... running on linux/64 with cat sshd_config ... PubkeyAuthentication yes PasswordAutMICHELE CALZOLARI CREDIT SUISSE ASSOSIM2014-12-02T13:08:52Zhttps://groups.google.com/d/topic/comp.security.ssh/oXAEDx1vDyoBASTARDO CRIMINALE, PURE ASSASSINO DAVIDE SERRA TWITTER, ALGEBRIS, NAZILEOPOLDA DI MERDA: LAVA CASH DI MAFIE DI MEZZO MONDO! INFILTRA ED UCCIDE IL PD VIA VERME FASCIO MATTEO RENZI! SU ORDINE (E MAZZETTE) DI LADRO STRAGISTA PEDOFILO SILVIO BERLUSCONI!BASTARDO CRIMINALE, PURE ASSASSINO DAVIDE SERRA TWITTER, ALGEBRIS, NAZILEOPOLDA DI MERDA: LAVA CASH DI MAFIE DI MEZZO MONDO! INFILTRA ED UCCIDE IL PD VIA VERME FASCIO MATTEO RENZI! SU ORDINE (E MAZZETTE) DI LADRO STRAGISTA PEDOFILO SILVIO BERLUSCONI!! 1 Innanzitutto scusate per il mio,Petr Laznovsky2014-11-22T21:43:30Zhttps://groups.google.com/d/topic/comp.security.ssh/UGZC_Pmkhl8PSCP does not copy file - "Cannot create file"Trying to backup config file from network box, but have no luck: -------------------------------------------------------------- C:\>pscp.exe -scp -pw password -2 -v login@hostname:/tmp/system.cfg "E:\backup\krabky\configs\" Looking up host "hostname" Connecting to IP_address port 22 We claimChakri2014-11-18T03:36:45Zhttps://groups.google.com/d/topic/comp.security.ssh/ymt_wF13DJcDefault Value of PAMAuthenticationViaKBDInt in OpenSSH v4.4p1Hi All, We have the OpenSSH(v4.4p1) installed on a Solaris server and the sshd_config file has been configured as below: =============Start of sshd_config file content===================== solaris9 $ cat "/usr/local/etc/sshd_config" # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtuckerrick4...@gmail.com2014-11-17T22:05:45Zhttps://groups.google.com/d/topic/comp.security.ssh/CEqWpME1oLIsshd and lastlog (and/or last/wtmp)Hi, I noticed that not all ssh connection are logged in /var/log/lastlog or /var/log/wtmp. Only actual login, but not commands or sftp connections. If a user uses the command /bin/bash, as a sysadmin I cannot know that a user was connected interactively on a server. I have to hunt thing down inhfru...@gmail.com2014-11-15T01:36:51Zhttps://groups.google.com/d/topic/comp.security.ssh/qsAxnzst4VEssh/ldap password authentcation fails after updateFolks, On a server running Scientific Linux (a RHEL clone) 5.3, I updated the security relevant packages (openssh, ldap, bind, ssl). Now ssh access with password authentication fails. Key authentication works. "su" also works, so the passwords themselves are OK. Authentication is via ldap. Itmaxihatop2014-11-09T14:21:30Zhttps://groups.google.com/d/topic/comp.security.ssh/k2xVu6dDZbwWorld Wide Public Key Infrastructure for SSH based on blockchain technologyOur team released a new tool: free, open source program, emcssh. This program is a bridge between blockchain-based PKI and OpenSSH server daemon, and allows to retrieve ssh public keys from distributed EmerCoin Name-Value Storage. Using this tool sysadmin can easily manage access permissionsjoshi...@gmail.com2014-11-05T03:19:11Zhttps://groups.google.com/d/topic/comp.security.ssh/2XllG0G6xP8Default encryption for PSFTPWhat is the default encryption (SHA?) used by PSFTP when using userid/password to connect to server? ThanksJuraj Vitko2014-10-31T21:44:47Zhttps://groups.google.com/d/topic/comp.security.ssh/ia38pepzE78How to generate or convert native private OpenSSH key file for IdentityFile?No matter what I do, OpenSSH refuses to read my generated private file, when used for ProxyCommand. It complaints like this: debug1: Executing proxy command: exec ssh -W host1:22 host2 debug3: Not a RSA1 key file /path/to/file. debug2: key_type_from_name: unknown key type '-----BEGIN'Tennis Smith2014-10-29T23:55:27Zhttps://groups.google.com/d/topic/comp.security.ssh/70xCYmhD8soexactly the same config file works when used in ~/.ssh/config, but not when passed on the command lineHi, The subject line pretty much covers it. I have config file which works great when in my .ssh dir. When I pass the same file name via the "-F" option, it fails. So, why not just use the .ssh/config file and forget about passing on the command line? These are all virtual hosts on AWS.luca.b...@gmail.com2014-10-20T14:34:48Zhttps://groups.google.com/d/topic/comp.security.ssh/ZBftCM5jG-ISSH client doesn't create TAP deviceI would like to use ssh to create a layer 2 tunnel. It would seem that there is a bug: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1316017 I can not find further documentation, is it a known bug? Is there a way to circumvent (or I can only wait and hope)? Thanks in advance for anyWolfgang Loefstedt2014-10-15T19:56:17Zhttps://groups.google.com/d/topic/comp.security.ssh/ibciJ54fCskplink, tail & grepHello out there, I'm using plink v0.63 under WinXP to logon to a Linux server to check the system log: plink -P 22 -ssh don...@192.168.0.254 -pw secret "tail -f /var/log/messages" This works fine. If I try to grep the output like plink -P 22 -ssh don...@192.168.0.254 -pw secret "tail -fWolfgang Loefstedt2014-10-15T19:50:34Zhttps://groups.google.com/d/topic/comp.security.ssh/W7BXpnMY5Tsplink, tail and grepHello out there, I'm using plink to logon to a server to check the system log: plink -P 22 -ssh don...@192.168.0.254 -pw secret "tail -f /var/log/messages" This works fine. If I try to grep the output like plink -P 22 -ssh don...@192.168.0.254 -pw secret "tail -f /var/log/messages | grepmleh...@yahoo.com2014-10-14T16:00:03Zhttps://groups.google.com/d/topic/comp.security.ssh/LRcLcYBPmg8Shellshock PuTTYHi. I'm running Windows 7 64-bit. I have 3 websites on the same Linux or Unix server (not sure which). I'm wondering if my Windows computer is vulnerable via Shellshock when using Putty 0.63... ...or if my webhost is vulnerable. Looks like I can test like this: ? https://shellshocker.netTennis Smith2014-10-07T15:43:41Zhttps://groups.google.com/d/topic/comp.security.ssh/hZ-Jymkg8EENetCat What?Hi. Can someone explain what the 'nc -w ...' construct does in this snippet from an ssh config file? https://gist.github.com/anonymous/a1fc68dadd98451cc75e Also, what happens if I want to ssh to a host that is not accessible via 'bastion'? TIA, -Tkasthurira...@gmail.com2014-10-03T12:13:22Zhttps://groups.google.com/d/topic/comp.security.ssh/V--BmwGXkesSSH works from LAN but not from WAN, hanging at expecting KEXDH_INITHi, I am able to use SSH inside the LAN. But it is not working from WAN. Running SSHD in debug mode, pls find below the last few messages SSH2_MSG_KEXINIT sent[preauth] SSH2_MSG_KEXINIT received[preauth] kex: client->server aes128-ctr hmac-sha1-96 zl...@openssh.com[preauth] kex: server->clielinux...@gmail.com2014-08-26T16:28:31Zhttps://groups.google.com/d/topic/comp.security.ssh/Txzxub8mnIgUsing ssh as SOCKS5 proxy results in "Connection to .... closed by remote host"Hi, I am trying to use the dynamic port forwarding feature of OpenSSH. It seems to work fine for a short period of time (1-2s, enough for firefox to load a single page), but then the ssh connection fails with the following message: "Connection to 184.108.40.206 closed by remote host" Thejhe...@gmail.com2014-07-24T16:26:32Zhttps://groups.google.com/d/topic/comp.security.ssh/u70WlZzpoE0Switching AIX to use LDAP authentication while still being able to use local accounts.I have setup my AD account so that it can login to my AIX server. I have removed my local AIX account and have permanently switched to using my AD account. I'm using putty to ssh into my AIX server. If I don't specify my private key to use in putty, I can see all the AD groups that were createdPeter Mairhofer2014-07-17T01:18:17Zhttps://groups.google.com/d/topic/comp.security.ssh/8n-hctTVkBUopenssh uses agent despite IdentitiesOnly yes -> Bug?Hi, In my ssh_config, I set IdentityFile and IdentitiesOnly yes and ForwardAgent no. ssh uses this key but it still queries the agent! But it shouldn't do that; I explicitely supply the key I want. The reason why this is super problematic is that I have a special agent that locks itselfhanks...@gmail.com2014-07-08T21:42:48Zhttps://groups.google.com/d/topic/comp.security.ssh/kQCtyKZIBWQPUTTY 0.63 - How to define or exclude a specific Cipher?For OpenSSH you can do so with the -C <cipher> parameter. Is there a method to do the same for Putty? We tried to edit the settings at the server side to not allow aes256-ctr but rather to use aes256-cbc - but the server (in FIPS mode - works fine in non-FIPS) keeps reverting to aes256-CTR.