Re: ssh ServerAlive probes
Why cant you put a packet on the link up to the data transfer is finish? What is your MTU ? that is what MTU is for. Or perhaps your MTU into time units is bigger than you want to signal ! Cheers 2011/4/5 Don Tucker dtuc...@arlut.utexas.edu: Hello, I am working on an application that needs to be able to rapidly detect a lost connection between an ssh client and ssh server. I am using ssh to do local and remote port forwarding, and sending data across the forwarded ports. I was originally relying upon the TCPKeepAlive probes, but found that I could not consistently detect a lost detection. Using the ServerAliveInterval and ServerAliveCountMax options, however, I am able to consistently detect a lost connection. The problem is, if I am using a low-bandwidth connection (cellular modem), and I am pushing a significant amount of data across, it seems that this hinders the communication between the client and server with the ServerAlive messages. In other words, when I am actually USING the connection, my application can mistakenly detect the connection as lost because the ServerAliveInterval x ServerAliveCountMax is exceeded without a response from the server. I was surprised at this behavior, since I expected the ServerAlive probes to only start after data flow between the client and server machines across that connection had ceased, but perhaps I am misunderstanding. I do not have much leeway as to how the server is configured. Can someone recommend a way to be able to both (1) quickly detect a lost connection [which, seems to require the interval and countmax be small], but not mistakenly detect the connection as lost when it is being used? Thank you for any assistance. Don
Re: a GOOD idea to harden OpenSSH!
hi, a couple of years ago I submit an idea like yours ! My idea was that ssh server waits up to ...say 2^N seconds between failed logins to show again the login prompt, being N the Nth try ! So the first login cames instantly. After a failed login I have to wait 2 seconds, after a second failed login I have to wait 4s..8s...16s32s2^N seconds ! This will not disturb a normal human login with a couple failures but makes a robot to wait with a potential law. I dont know why but mi idea didnt like anybody Cheers ! 2011/3/30 nagygabor88 nagygabo...@zoho.com: I'm writing here, because the ssh dev list says: Mail Delivery Status Notification (Delay) [Status: Error, Address: openssh-unix-...@mindrot.org, ResponseCode 451, Temporary failure, please try again later.] So: What is you're opinion about the next idea? Please write down ++/-- thoughts: it's against brute-force attacks on sshd: if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare. the couple of seconds is defined in the sshd config, e.g.: 2 seconds the method musn't show that the user have to wait 2 seconds to write his passphare. important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second! effect: in this way, if a brute force robot comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok. BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the type you're password appear on client side. if this idea would spread, then the attackers would adapt, and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective. so can this be a feature in sshd? :O What do you think? Thank you!
Re: Reverse tunnel and multiple interface
Hi, I had to set up a similar scenario with a reverse tunnel and also traversing proxies in the middle. I achieved that with an openvpn tunnel. It showed that is very robust against link fails. May be you can compile openvpn for your embeded linux. Cheers C 2008/10/29, Christian Gagneraud [EMAIL PROTECTED]: Hi all, I have a box running embedded linux, which has 2 network interfaces, the first (eth0) is the normal interface, the other one (ppp0) is used as a back-up link (in case eth0 is down, we still want to be able to connect to the box). The box is installed on the sea, few miles away from the shore, the box access internet through eth0 which is connected to a transparent WIFI bridge and finally to an ADSL router. The ppp0 is a GPRS connection via a modem, as my provider doesn't allow incoming connection, i need to set up a reverse tunnel if i want to be able to connect remotely to the box. I know i can set-up the reverse tunnel with something like ssh -CNR middleport:localhost: [EMAIL PROTECTED], we use this on other projects that have only ppp0 to access internet, and it works fine. It is critical for us to be able to access the box 24/7, the services provided by this box need a good bandwidth, that's why we need a broadband connection. The ppp0 will be only used in case of eth0/internet failure to investigate the problem(s). Actually the WIFI link is the weakness of the system, the embedded WIFI bridge can fail due to various reason including misalignment (the system can derived from its original position), corosion (sea water is a killer), power supply failures, Finally, my problem is that i would like to simply force the reverse tunnel to use only ppp0. And at the same time i need the default route to go through eth0 (that is needed for the main programs running on this box) So, this is what i would like to achieve: /--- ppp0 | GPRS Modem |---{internet} | / lo | | /-- eth0 | ADSL router|---{internet} | | | | | | | ssh daemon (), main apps | \-- ssh -CNR ... I have the feeling that there's no way to tell ssh to make a reverse tunnel through a specific interface and ignore the default route, and that i will have to find a way via the kernel network set-up, and i have no clue on how to do this. I don't want to use an automatic/redondant route, because if my app try to use ppp0, then the link will be stucked, because this app is bandwith hungry and anyway this app needs incoming connections... So, perhaps someone will come here with an idea using only ssh... With best regards, Chris PS: Please CC me as i'm not subscribed to the list.
Re: is ssh tunneling a security risk?
Hi, theres is nothing bad about the tunnel itself but the tunnel has an end that is outside the control of your IT. In other words you leave a door open. If someone gets into your outside machine he gains acces to the secured zone. C 2008/10/17 David M. Kaplan [EMAIL PROTECTED]: Hi, My IT department is really heavy on security. From outside the building, they have a rather complex system setup so that you can get around the firewall and ssh into a single machine. From there, you have to ssh into the machine you want to use. To simplify things, I have been using a tunnel to hop from my machine directly (through the tunnel) to the machine I want to use in the building. This has worked fine until a couple of days ago when IT decided to prohibit tunneling for security reasons (attempting to use the tunnel now responds with channel 3: open failed: administratively prohibited: open failed). This has made it almost impossible to work with the system. What I am wondering is exactly what security risk does an ssh tunnel pose? I thought you used an ssh tunnel to enhance security, not the other way around. Can someone give me a reason why it is a risk to leave this open or give me good arguments that I can forward to IT for why they should not prohibit tunneling? Thanks, David -- ** David M. Kaplan Charge de Recherche 1 Institut de Recherche pour le Developpement Centre de Recherche Halieutique Mediterraneenne et Tropicale av. Jean Monnet B.P. 171 34203 Sete cedex France Phone: +33 (0)4 99 57 32 27 Fax: +33 (0)4 99 57 32 95 http://www.ur097.ird.fr/team/dkaplan/index.html **
Re: Disable SSH authentication
You don't at all need to have a user account with telnet. As you said it's an I/O redirection through sockets, so you can have written a perl script or a C program (or anything really that can listen on sockets) that listens on a sepcified port, and interprets commands send to it through a telnet client connecting to that port. You are only talking from client point of view. Obviously you can connect a telnet client to every server you want but in case you want a telnet sesion (in order to have a console for running commands) you connect the telnet client to the telnet server which asks you for authentication (user/pass). If you connect a telnet client to a perl script or a C program or something that listen on sockets you are saying the same as me ! ! Netcat is that server that listen on sockets. And in my case I also use netcat as a client instead of a telnet client ! C
Re: Disable SSH authentication
quote= . . so that we don't need to either provide user account . . that is what chaoson said ! With rsh you must provide user and password on the remote host ! also like telnet ! I remember to all of you that rsh or telnet are an input/output redirection of a console thru sockets ! ! cheers 2008/10/14 Kosala Atapattu [EMAIL PROTECTED]: running commands with Netcat... even wierder This is not the answer to your question. May be you can try good old rsh with the hosts.allowed... In some internal networks (withing the same net zone) I have used that lot... where security is not much of a concern. Kosala 2008/10/14 Christian Grunfeld [EMAIL PROTECTED]: Hi, strange question in a ssh discussion list ! May be you can use netcat on both sides with standar input and output redirected from/to a console. Cheers Christian 2008/10/13, chaoson [EMAIL PROTECTED]: Hi, I'm running openssh-4.3p2. I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine: 1) Provide user name and password 2) Public key authentication My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks ___ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/ -- Kosala Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
Re: Disable SSH authentication
As simple as: server side: nc -l -p 1234 -e /bin/bash client side: nc destination ip 1234 cheers ! 2008/10/14 Kosala Atapattu [EMAIL PROTECTED]: running commands with Netcat... even wierder This is not the answer to your question. May be you can try good old rsh with the hosts.allowed... In some internal networks (withing the same net zone) I have used that lot... where security is not much of a concern. Kosala 2008/10/14 Christian Grunfeld [EMAIL PROTECTED]: Hi, strange question in a ssh discussion list ! May be you can use netcat on both sides with standar input and output redirected from/to a console. Cheers Christian 2008/10/13, chaoson [EMAIL PROTECTED]: Hi, I'm running openssh-4.3p2. I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine: 1) Provide user name and password 2) Public key authentication My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks ___ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/ -- Kosala Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
Re: Disable SSH authentication
Hi, strange question in a ssh discussion list ! May be you can use netcat on both sides with standar input and output redirected from/to a console. Cheers Christian 2008/10/13, chaoson [EMAIL PROTECTED]: Hi, I'm running openssh-4.3p2. I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine: 1) Provide user name and password 2) Public key authentication My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks ___ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/
Re: Deliberately create slow SSH response?
Hi, I remember a long time ago I brought a discussion about incremental delays on ssh login failures. I think it would be a very good solution if it is made by means of power of 2 second increments between failed logins. But no one liked my suggestion. Cheers Christian 2008/7/10 Sergio Castro [EMAIL PROTECTED]: Sure, by logic the attack will slow down. It won't prevent continuous attacks though. So my suggestion is, if the service is used only by certain IPs, then filter all others. -Mensaje original- De: Fromm, Stephen (NIH/NIMH) [C] [mailto:[EMAIL PROTECTED] Enviado el: Jueves, 10 de Julio de 2008 12:51 p.m. Para: Sergio Castro; Zembower, Kevin; secureshell@securityfocus.com Asunto: RE: Deliberately create slow SSH response? Yes, but if the attacker is coming from one point and takes 30 seconds for each attempt, versus 0.03 seconds... Stephen J. Fromm, PhD Contractor, NIMH/MAP (301) 451-9265 -Original Message- From: Sergio Castro [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2008 1:15 PM To: 'Zembower, Kevin'; secureshell@securityfocus.com Subject: RE: Deliberately create slow SSH response? The brute force attacks are most likely automated, so if your objective is to bore a human to death with 30 second delays, it wont' work. Have you thought about limiting access to the service to only certain IPs? - Sergio -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Zembower, Kevin Enviado el: Miércoles, 09 de Julio de 2008 11:56 a.m. Para: secureshell@securityfocus.com Asunto: Deliberately create slow SSH response? This might seem like a strange question to ask, but is there a way to deliberately create a slow response to an SSH request? I'm annoyed at the large number of distributed SSH brute-force attacks on a server I administer, trying to guess the password for 'root' and other accounts. I think that my server is pretty secure; doesn't allow root to log in through SSH, only a restricted number of accounts are allowed SSH access, with I think pretty good passwords. But still, the attempts annoy me. I wouldn't mind if SSH took say 30 seconds to ask me for my password. This would slow the attempts. Is there any way to configure OpenSSH to do this? I searched the archives of this group with 'slow' and 'delay' but didn't come up with anything on this topic. Please point it out to me if I overlooked anything. In addition, I can limit the number of SSH connections to 3-5 and still operate okay. Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6. Thanks in advance for your advice and suggestions. -Kevin Kevin Zembower Internet Services Group manager Center for Communication Programs Bloomberg School of Public Health Johns Hopkins University 111 Market Place, Suite 310 Baltimore, Maryland 21202 410-659-6139 __ NOD32 3255 (20080709) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com __ NOD32 3257 (20080710) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
Re: SSH VPN trouble
Hi, the network should be the same on both ends but tunnel interfaces should be diferent. 2008/7/7 László Monda [EMAIL PROTECTED]: Hi List, I'm trying to build an SSH VPN based on the https://help.ubuntu.com/community/SSH_VPN Ubuntu howto, but can't get it done. After setting up the VPN and trying to connect to the remote host which is now on my virtual network I realize that I actually connect to localhost. This may be because the remote network and the local network are both 192.168.1.0/8. Do the network adresses of the networks in question need to differ? Thanks in advance! -- Laci http://monda.hu
Re: issue with transferring text files from windows to *INX using scp/sftp
What I do is %s/\r//g in vi or sed to remove the trailing CRs Cheers Christian 2008/2/12, Russell Millard Oliver [EMAIL PROTECTED]: SFTP does not handle ascii files, you'll need to do it in your client. Depending on which client you are using, there is probably a setting to tell it to transfer ascii files and which files it should consider ascii by extension. If you aren't moving the standard .txt files, then add your extension to that list. I noticed that some clients, like Filezilla, don't convert the files like it seems like they should. WinSCP works well for that. Good luck, Russ -Original Message- From: Mike Li [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 3:13 PM To: secureshell@securityfocus.com Subject: issue with transferring text files from windows to *INX using scp/sftp HI: Each line of text files transferred from windows to *INX using scp/sftp contains Control-M characters. It is a pain to run dos2unix utils when there are a few hundred files. I did not experience issue when using ftp to transfer files from windows to *INXs systems Is there a switch or ssh_config configuration setting to suppress the Crontrol-M during transfer ? Thank you Mike Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: Negated patterns in AllowedUsers
Hi, for root user is quite easy. Just put PermitRootLogin No in sshd_config This only allow you to login thru local console Christian 2007/9/2, Radek Hladik [EMAIL PROTECTED]: Hi, I am a little bit confused about patterns behavior when used in AllowedUsers directive. I am trying to limit root logins to localhost. First I tried AllowedUsers [EMAIL PROTECTED] !root which should enable root from localhost and all nonroot users from anywhere. However the username part is matched with match_pattern function and this function does not take ! into account (see func match_user in match.c). Secondly I tried DenyUsers [EMAIL PROTECTED] which should deny root when logging from anywhere but localhost. Function match_host_and_ip does call match_hostname which calls match_pattern_list. But if match_hostname function returns -1 which means match found and negation was requested, match_host_and_ip return false as there would be no match. As fact at least one _positive_ match is required to return true: /* negative ipaddr match */ if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1) return 0; /* negative hostname match */ if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) return 0; /* no match at all */ if (mhost == 0 mip == 0) return 0; return 1; Is there any reason for such a behavior? And is there any other way how to limit root to localhost in sshd? I know I can limit it i.e. via pam_access but I would expect sshd to be able to do it. Radek Hladik P.S. Version of OpenSSH is openssh-4.5p1
Re: Connect with null passphrases
hi, just do ssh-keygen -t rsa on the client and copy the result file to .ssh/authorized_keys2 on the server Christian 2006/12/6, John Stefani [EMAIL PROTECTED]: Hello Everybody, I have some cron jobs that use ssh (version 4.4p1) to connect to other servers and run certain tasks. The users in question sometimes are real users, sometimes fictitious users that I created only for running the cron job. I changed to *NP* the password field of /etc/shadow for the fictitious users on the servers the cron jobs connect to, and all works happily. Here's my problem: those servers to which the cron job tries to connect to as a real user, who has a real password, does not allow ssh connections with null passphrases. I can't set the password field in /etc/shadow to *NP* because sometimes I have to connect as the real user. Does someone know how I can connect automatically to a server, using ssh, as a user that has a password, but with a null passphrase? Hope the above was not too confusing... Absolutely any thoughts or workarounds will be much appreciated. John Stefani jstefani _at_ yorku.ca
Re: Decrypting an ssh session knowing the private key?
Public/private keys are only used for authentication on connection start. During comunication the data is encripted with other key. 2006/10/5, Jeff Sadowski [EMAIL PROTECTED]: I would like to write a program that could deycrypt ssh communication by using the private key of the server computer. This should be possable right? And I should be able to use libraries the openssh has already writen. In fact the majority of the code should already be writen right? I should just need to send a packet with the private key to a function right?
Re: Need some education: Man-in-the-Middle Attacks
Hi, That is why CAs (certification authorities) exists ! ! they are trusted third parties ! They mantain a database with the public keys of the entities they are confident of. The CA isues certificates signed by itself granting identities ! Cheers Christian 2006/8/30, Mark Senior [EMAIL PROTECTED]: On 8/29/06, Christ, Bryan wrote: All, Please pardon my naivete. I was looking at the diagram on the URL listed below and contemplating how host fingerprinting prevents MITM attacks. http://www.vandyke.com/solutions/ssh_overview/ssh_overview_threats.html So my question is this... Given the illustration in the URL above, what prevents Eve from *first* contacting Alice to obtain a fingerprint which then gets passed to Bob on the first connection attempt? The server passes the client its public key; the client generates a fingerprint of this public key, and verifies that it matches a known one from previous connections. Eve can pass Alice's public key to Bob, but she doesn't possess Alice's private key, so she has no way to interfere further with the communications (beyond tampering at a network level - introducing delay, dropping the connection, etc.) Only if Eve gets in the way of the very first connection attempt, can she pass her own public key off as Alice's, without Bob detecting it. On the first connection, he'd have to either trust what he sees, or verify the fingerprint offline somehow. On subsequent connections, the mismatch would be obvious.