Lmst
Login

#secureshell

James Trickle uPopalmirror@hachyderm.io
2025-06-02

I have been having Secure Shell hangs when sending/receiving bulk data (large packets) between my workstation and a WAN server. I think I've discovered bad behavior somewhere in the WAN.

I figured it out by pinging the remote host using different sized packets with the Do Not Fragment bit set. Above a certain size, one is supposed to go from receiving ping responses to getting back ICMP error packets indicating the packet was too large and that fragmentation is needed, along with the MTU size to use. This called Path MTU Discovery.

Instead of that I get three behaviors: ping response for small packets, silence for midsized packets (bad!), and error response for too-large packets.

This is really bad news, and it seems TCP just stops working if it can't get those too-large packets through.

Anyway, the WAN provider apparently autonomously rebooted their equipment, and the problem is now gone, but it has been dogging me intermittently the last several months. It's a real pain when ssh craps out when cat'ing a long file or git fetch sessions hang.

I now have the start of a tool that I can use to monitor that bad behavior is happening, though.

#networking #IP #Internet #MTU #whine #software #WAN #SecureShell #ICMP #routing

Neustradamus :xmpp: :linux:neustradamus
2025-05-07

2025.88 has been released ( / / / / / ) matt.ucc.asn.au/dropbear/dropb

Dendrobatus AzureusDendrobatus_Azureus@bsd.cafe
2025-05-07

This article shows that DSA has finally been removed

#SSH #openSSH #DSA #programming #coding #OpenSource #openBSD #BSD #secureShell #Infosec

undeadly.org/cgi?action=articl

The image shows a screenshot of a webpage from the OpenBSD Journal. The top of the page displays the title "OpenBSD Journal" with a logo featuring a stylized sun. Below the title, there are navigation links including Home, Archives, About, Submit Story, Create Account, and Login. The main content of the page is a news article titled "DSA signature support removed from OpenSSH," contributed by rueda on 2025-05-06. The article states that Damien Miller has completed the removal of DSA signature support from OpenSSH, listing the modified and removed files. The CVSROOT and Module name are also provided. The log message confirms the removal of DSA signature support. The editors encourage readers to ensure the removal is complete. The latest articles section lists other recent news items, including a commit of the LLDP daemon and tool and a call for testing the last bits of DSA. The webpage's URL is undeadly.org/cgi?act, and the battery level is at 82%. Ovis2-8B 🌱 Energy used: 0.249 Wh
Dendrobatus AzureusDendrobatus_Azureus@bsd.cafe
2025-05-07

An unimportant remnant of the past has been removed from open SSH;
DSA.

Read about it in this article the next article linked will show you that it has been removed finally

#SSH #openSSH #DSA #programming #coding #OpenSource #openBSD #BSD #secureShell #Infosec

undeadly.org/cgi?action=articl

The image shows a screenshot of a webpage from the OpenBSD Journal. The top of the page features a black background with a logo on the left, depicting a cartoonish sun with guns, and the text "OpenBSD Journal" in light blue. Below the logo, navigation links are visible: Home, Archives, About, Submit, Story, Create Account, and Login. The main content of the page is a news article titled "DSA removal from OpenSSH" in large, light blue text. The article was contributed by "rueda" on January 11, 2024, from the "going-dept." The article states that the OpenSSH project has announced the timeline for the removal of DSA support from OpenSSH. It mentions that OpenSSH plans to remove support for DSA, as specified in the SSHv2 protocol, which is limited to a 160-bit private key with an estimated security level of less than or equal to 80 bits. The article also notes that OpenSSH has disabled DSA keys by default and that DSA is optional support for them. The bottom of the page shows the URL "undeady.org/cgi?act" and a navigation bar with three vertical lines, a home icon, a back arrow, and a menu icon. The battery icon in the top right corner indicates 82% battery life, and the time is 03:31. Ovis2-8B 🌱 Energy used: 0.353 Wh
OSTechNixostechnix@floss.social
2025-05-06

How Tmux Saved My Work When SSH Kept Dropping and Why You Should Use Tmux for Unstable SSH Connections in Linux #tmux #ssh #secureshell #linux #tmuxtips #linuxadministration
ostechnix.com/use-tmux-unstabl

ティージェーグレェteajaygrey@snac.bsd.cafe
2025-04-25
Fuckit, now is as good a time as any to finally submit that Pull Request to update MacPorts' OpenSSH to 10.0p2 that I had been sitting on hoping for help in improving the MacPorts' patches to ssh-agent.c (making it launchd aware) and sshd-session.c (utilizing macOS's sandbox functionality):

https://github.com/macports/macports-ports/pull/28253

Maybe the GitHub Continuous Integration checks will break there too?

#OpenSSH #MacPorts #OpenBSD #SecureShell #OpenSource #PleasForHelp
Neustradamus :xmpp: :linux:neustradamus
2025-04-18

10.0 has been released ( / / ) openssh.com/

Ravenraven@bsd.cafe
2025-04-09

OpenSSH 10.0 released with hybrid post-quantum algorithm mlkem768x25519-sha256 as default key agreement, new cipher preference list, new options, bug fixes

openssh.com/releasenotes.html

#openssh #openbsd #infosec #secureshell #postquantumcryptography

ティージェーグレェteajaygrey@snac.bsd.cafe
2025-04-06
I was slackin!

Almost a week behind the Call For Testing for OpenSSH 10.0!

(OpenSSH UNIX dev mailing list archive message on such things here:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041855.html)

Preliminary results on macOS 15.4 leveraging MacPorts are lookin good so far:

./ssh -V
OpenSSH_9.9p2-snap20250407, LibreSSL 4.0.0

Running %make tests

"all tests passed"

So that's great too!

Note: this version removes DSA support.

Previously, that had been omitted from default compilation options (though there were some squeaky wheel MacPorts folks who ended up contributing the legacy_dsa variant to toggle that compilation option back on; I'm trying to figure out the best way to give them a heads up that they're going to need to maintain a patchset diff from upstream if they want to keep that variant. For the time being, hopefully updating the Trac issue will at least notified interested individuals:

https://trac.macports.org/ticket/70319#comment:26 )

I had a feeling that the MacPorts I maintain had been a bit too quiet recently. Glad I dug a little deeper and realized I was overlooking that Call For Testing!

Hopefully, the 10.0 release will go smoothly and downstreaming it into MacPorts will be as relatively uneventful as it has been for me locally with the most recent snapshot.

#OpenSSH #CallForTesting #snapshots #OpenSource #SecureShell #Cryptography #Security #MacPorts
OSTechNixostechnix@floss.social
2025-04-04

Pico.sh: The SSH-Powered Services Every Developer Should Try #Pico #SSH #Developer #Webservice #Linux #SecureShell
ostechnix.com/pico-sh-ssh-powe

OSTechNixostechnix@floss.social
2025-04-01

A Complete Guide to Install, Enable, and Secure SSH on Fedora Linux 42 #SSH #SecureShell #Fedora #Linux #Security #Linuxhowto #Linuxadmin
ostechnix.com/set-up-configure

Neustradamus :xmpp: :linux:neustradamus
2025-03-06

2025.87 has been released ( / / / / / ) matt.ucc.asn.au/dropbear/dropb

ティージェーグレェteajaygrey@snac.bsd.cafe
2025-02-18
I submitted a Pull Request to update MacPorts' OpenSSH to 9.9p2 here:

https://github.com/macports/macports-ports/pull/27712

GitHub Continuous Integration checks are running. Hopefully they will be OK (Update 2 out of 3 have completed successfully, which is a good sign).

I tested locally without issues, but I also build against LibreSSL locally, whereas GitHub CI and MacPorts' Build Bots I think default to OpenSSL.

This release is to address some vulnerabilities identified by Qualys and other less critical bugs.

More details from upstream here:

https://www.openssh.com/releasenotes.html#9.9p2

Of particular note:

" Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.

* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2MSGPING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.

Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH."

If I read everything correctly, these vulnerabilities primarily only impact the Portable OpenSSH releases (which is what MacPorts uses). However, OpenBSD has also issued the following errata to mitigate one of the issues as it also appears to impact OpenBSD users:

"008: SECURITY FIX: February 18, 2025 All architectures
sshd(8) denial of service relating to SSH2MSGPING handling. ssh(1) server impersonation when VerifyHostKeyDNS enabled.
A source code patch exists which remedies this problem."

Source code patch for OpenBSD here:

https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig

Having written as much, it appears as if the main OpenSSH version for OpenBSD is still 9.9, so I am not going to make a submission for undeadly.org Other editors reading this are welcome to though, I just kind of have a lot of other stuff on my plate at present.

As usual, I also have too much going on in my life to want more responsibilities such as commit access within MacPorts, so it's up to someone else to merge it.

Update #2: I also decided to be a good Samaritan and reported the issue to Apple. Not that they have ever acknowledged my efforts for such things nor paid me from their bug bounty program in years of doing similar things. Because, OFC, Apple can't spare a penny to anyone like me. Maybe Qualys already reported it to them anyway (though they would have no obligation to do so, they did find the vulns and reported them upstream as would be expected).

#OpenSSH #MacPorts #SecureShell #InfoSec #Cryptography #Security #CVE #PatchTuesday #OpenSource #OpenBSD #macOS
Neustradamus :xmpp: :linux:neustradamus
2024-11-25

2024.86 has been released ( / / / / / ) matt.ucc.asn.au/dropbear/dropb

Peter N. M. Hansteenpitrh
2024-09-22

OpenSSH 9.9 released! undeadly.org/cgi?action=articl

sylviesylvie@chitter.xyz
2024-07-12

question to people who understand #SSH / #OpenSSH / #SecureShell
how many keys is a device supposed to have?

i get that i shouldnt use the same key on all devices because then when revoking it, every device needs a new key, but am i only supposed to have one of each key types on my device?

currently i have 3 keys for 3 git remotes, 2 keys for local devices (switching between laptop keyboards is no fun), and 2 joke keys i only use when asking for ssh access (for reference i would send people an executable called "virus" just to see if they ran it and (logical o) their reaction) or signing a message for no reason

Neustradamus :xmpp: :linux:neustradamus
2024-07-07

9.8p1 has been released ( / / ) openssh.com/

OSTechNixostechnix@floss.social
2024-07-04

Critical OpenSSH Vulnerability Patched: Here's What You Need to Know #openssh #regreSSHion #ssh #SecureShell #Linux #openssh #security
ostechnix.com/regresshion-cve-

Peter N. M. Hansteenpitrh
2024-06-07

OpenSSH introduces options to penalize undesirable behavior undeadly.org/cgi?action=articl

Peter N. M. Hansteenpitrh
2024-05-17

sshd(8) split into multiple binaries undeadly.org/cgi?action=articl -session

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst