TIL: According to the ssh_config man page, comments in ~/.ssh/config need to be on their own line. In other words,
Host foo # my awesome host
is not a valid comment.
The ssh command seems pretty relaxed about this, but other tools (e.g. Paramiko) are not necessarily.
I'm looking to hook up PerSourcePenalties in the sshd_config on my VPS, and can't find any examples of using them out there. They're a new-ish feature, so I wonder if anyone's an expert yet besides @djm.
Specifically, I'm getting a lot of attempted password logins on a system where "PasswordAuthentication no" is set, and I see five door-knocks from each IP before they get punted. Would rather have that kick in more quickly to keep the logs less cluttered.
If you're on #Debian stable but would like a PQ key exchange algorithm on your SSH service, #OpenSSH 10 is available in the Bookworm backports with the following release notes.
Multiplexing will boost your SSH connectivity or speed by reusing existing TCP connections to a remote host. Here are commands that you can use to control multiplexing when using OpenSSH server or client on your Linux, macOS, FreeBSD or Unix-like systems. Not sure what SSH multiplexing is? Learn how to set it up and use it to speed up your SSH sessions with our handy guide: https://www.cyberciti.biz/faq/ssh-multiplexing-control-command-to-check-forward-list-cancel-stop-connections/
Today i've learned that i don't need coder. I am now deploying an #ubuntu container from a #Dockerfile with an #openssh #server installed. This is a much better setup. Nearly every #Codeeditor supports #ssh workspaces so i'm not limited.
But the best thing about this setup is that it is very easy to automate using #Ansible.
I've used the same approach to set up #kali #linux environments months ago and should have stuck with that. It just works.
#clouddevelopment #clouddeveloperenvironments #docker #programming #coding #selfhosting #homelab #automation #coder
Apple、macOS 15.5 SequoiaでOpenSSHを「OpenSSH 9.9p2」にアップデートし2件の脆弱性を修正。
https://applech2.com/archives/20250513-openssh-9-9p2-on-macos-15-5-sequoia.html
#applech2 #macOS_15_Sequoia #macOS #macOS_15_5 #OpenSSH #OSS #アップデート #脆弱性
scp (ssh) failing after a few connections #networking #ssh #openssh
This article shows that DSA has finally been removed
#SSH #openSSH #DSA #programming #coding #OpenSource #openBSD #BSD #secureShell #Infosec
An unimportant remnant of the past has been removed from open SSH;
DSA.
Read about it in this article the next article linked will show you that it has been removed finally
#SSH #openSSH #DSA #programming #coding #OpenSource #openBSD #BSD #secureShell #Infosec
DSA signature support removed from OpenSSH https://www.undeadly.org/cgi?action=article;sid=20250507010932 #openbsd #openssh #ssh #dsa #dsaremoval #deadkeys #signature #deadciphers #security #networking #cryptography #crypto
Linux newbie: how to downgrade openssh version (UBUNTU) #packagemanagement #2404 #openssh
Call for testing: Last bits of DSA to be removed from OpenSSH https://www.undeadly.org/cgi?action=article;sid=20250506054255 #openbsd #openssh #ssh #dsa #dsaremoval #crypto #cryptography #ciphers #security #networking #development #freesoftware #libresoftware
ssh: listener sockets relocated from /tmp to ~/.ssh/agent https://www.undeadly.org/cgi?action=article;sid=20250506044643 #openbsd #ssh #openssh #security #unveil #sshagent #snoopresistant #freesoftware #libresoftware
#OpenSSH 10.0p1 includes a number of changes that may affect existing configurations:
* This release removes support for the weak DSA signature algorithm,
completing the deprecation process that began in 2015 (when #DSA was
disabled by default) and repeatedly warned over the last 12 months.
A very welcome change in #OpenBSD -current that impacts software which restrict filesystem access with unveil(2), but permit access to /tmp (like web browsers). :flan_thumbs:
ssh-agent(1) listener sockets and forwarded sockets in sshd(8) will now be under ~/.ssh/agent instead.
djm@ modified src/usr.bin/ssh/*: Move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
This ensures processes (such as Firefox) that have restricted filesystem access that includes /tmp (via unveil(3)) do not have the ability to use keys in an agent.
Moving the default directory has the consequence that the OS will no longer clean up stale agent sockets, so ssh-agent now gains this
ability.To support $HOME on NFS, the socket path includes a truncated hash of the hostname. ssh-agent will by default only clean up sockets from the same hostname.
ssh-agent gains some new flags: -U suppresses the automatic cleanup of stale sockets when it starts. -u forces a cleanup without keeping a running agent, -uu forces a cleanup that ignores the hostname. -T makes ssh-agent put the socket back in /tmp.
feedback deraadt@ naddy@
doitdoitdoit deraadt@
#OpenBSD 7.7 has been released (#BSD / #NetBSD / #386BSD / #Unix / #LibreSSL / #OpenSSH / #OpenBGPD / #OpenSMTPD / #OpenNTPD / #OpenIKED / #rpkiClient / #mandoc) https://openbsd.org/
