greggyb, 1 month ago to linux

Security vulnerability in #SSH #openssh on #linux

Affected distros definitely include Fedora 41 and Rawhide and Debian testing and Debian sid.

Report and distro info below.

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://lists.debian.org/debian-security-announce/2024/msg00057.html

CVE assigned by Redhat (not up to date yet): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094

uncanny_static, 1 month ago to openSUSE

Unfortunately, openSUSE Tumbleweed already includes version 5.6.1 of liblzma. Hence, if you are using Tumbleweed, your system might already be affected.
https://www.openwall.com/lists/oss-security/2024/03/29/4
#openSUSE #Linux #liblzma #lzma #xz #ssh #infosec

scy, 1 month ago to random

Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.

https://www.openwall.com/lists/oss-security/2024/03/29/4

This might even have been done on purpose by the upstream devs.

Developing story, please take with a grain of salt.

The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.

#liblzma #xz #lzma #backdoor #ITsecurity #OpenSSH #SSH

hko, 1 month ago to linux

The new "Simple standalone #SSH Agent for #OpenPGP cards" (https://crates.io/crates/openpgp-card-ssh-agent) is now available as a package for #Arch Linux, by the way :arch: 😏

This agent offers a frictionless UX when using ssh with keys that are stored on OpenPGP card devices: No more ongoing PIN entry required! 🚀

@dvzrv has once again done amazing packaging and documentation work! 🥳 Thank you 😃

See https://wiki.archlinux.org/title/SSH_keys#OpenPGP_card_ssh-agent for details.

#rustlang #rust #openssh #hsm #pgp #gpg #gnupg #archlinux #linux

hko, 1 month ago to linux

I just released https://crates.io/crates/openpgp-card-ssh-agent version 0.3.0, a new #SSH agent for #OpenPGP card users.

This agent makes ssh with OpenPGP card devices friction-less: No more ongoing PIN entry!

This release adds full support for Windows, based on amazing work by @wiktor 🥳

This version supports #Linux, #MacOS and #Windows equally.

If anyone with a background in MacOS or Windows packaging is interested in packaging this, we'd love to hear from you!

#rustlang #rust #openssh #hsm #pgp #gpg #gnupg

hko, 1 month ago to rust

I just released https://crates.io/crates/openpgp-card-ssh-agent version 0.2.4, a new #SSH agent for #OpenPGP card users.

This version comes with substantial updates to the openpgp-card-state dependency (which handles User PIN storage for OpenPGP card devices, see https://codeberg.org/openpgp-card/state).
It now supports selecting different PIN storage backends, including one to store the User PIN directly in the config file.

PIN verification error cases are now handled more defensively

#rustlang #rust #openssh #hsm #pgp #gpg #gnupg

michaelabon, 2 months ago to random

Storing your SSH keys in 1Password? Now you can export them in multiple formats!

"Wait, SSH keys in 1Password?" you ask...

Yeah, 1Password’s SSH agent can fill, use, generate, sync, and sign your #git commits using your #SSH key.

For more deets: https://developer.1password.com/docs/ssh/manage-keys#export-an-ssh-key
#1Password

darkcisum, 2 months ago to windows

Ever wanted to use SSH to setup a Windows machine? Starting with Windows 10 it's actually fairly easy to enable.
I wrote down the steps I've used: https://duerrenberger.dev/blog/2024/03/12/using-openssh-server-on-windows/

#ssh #openssh #windows #windows10 #windows11 #ansible

Codeberg, 2 months ago to random

There is one thing that annoys me about #Codeberg, but I was too lazy to tell …

… until today! Please let us know in the comments.

bortzmeyer, 2 months ago to random French

Good morning, Brisbane! First "real" day of #IETF119. https://www.ietf.org/how/meetings/119/

We start with the new "all dispatch" session: new job which does not know where it fits and has to be dispatched somewhere in the large IETF.

tk, 2 months ago to random

Any suggestions for getting TCP forwarding working via #SSH? I’m getting errors like this:

refused local port forward: originator 127.0.0.1 port 49673, target 127.0.0.1 port 443

The sshd -T output suggests that it should work:

$ grep -i 'forward|permitopen' full-sshd-config
x11forwarding no
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes
permittunnel no
permitopen 127.0.0.1:443

(The host is pretty locked down, which is why I have the PermitOpen directive instead of allowing all forwarding.)

#Linux

hko, 2 months ago to rust

I just released https://crates.io/crates/openpgp-card-ssh-agent version 0.2.3, a new #SSH agent for #OpenPGP card users.

This version fixes some bugs in the handling of RSA keys.

#rustlang #rust #openssh #hsm

hko, 2 months ago to rust

I just released https://crates.io/crates/openpgp-card-ssh-agent version 0.2.2, a new #SSH agent for #OpenPGP card users.

This release shows more output for error cases, both in the log output, and with GUI notifications.

I also published an updated version 0.0.3 of https://crates.io/crates/openpgp-card-state, which contains a low-level CLI tool to help with debugging/development. This version gives more debugging output for error cases.

#rustlang #rust #openssh #hsm

pkw, 2 months ago to random

<enter> ~ .

The escape sequence to unstick a hung ssh session w/o killing your terminal window.

I just used it for the first time w/o having to look it up 😎

#ssh

hko, 2 months ago to rust

I just released https://crates.io/crates/openpgp-card-ssh-agent version 0.2.1, a new #SSH agent for #OpenPGP card users.

This release should fix build issues (the previous version didn't build on mac).

However, we're still exploring how secret storage works on non-Linux platforms. Expect a bumpy ride if you try it.
(If you do delve into debugging on mac or windows, we'd love to hear from you!)

#OpenSSH #rust #rustlang #HSM #nitrokey #Yubikey

adamsdesk, 2 months ago (edited 2 months ago) to GNOME

How to Fix GNOME Keyring v46.1 Missing SSH_AUTH_SOCK

How to solve the missing SSH_AUTH_SOCK when using GNOME Keyring with an secure shell (SSH) keys agent such as KeePassXC, ssh-agent or gpg-agent.

https://www.adamsdesk.com/posts/fix-gnome-keyring-ssh-auth-sock/

#ssh #GNOME #ArchLinux #linux #SSHAgent #KeePassXC @keepassxc #gpgagent

governa, 2 months ago to linux

How to Set up #SSH Key Authentication on #Linux

https://www.rosehosting.com/blog/how-to-set-up-ssh-key-authentication-on-linux/

royalapps, 2 months ago to devops

🎉 We just released a new version of Royal TS for Windows 🔥

👀 Check out what's new: https://www.royalapps.com/go/kb-ts-win-v7-releasenotes
👉 Download link: https://royalapps.com/ts/win/download

#devops #itadmin #remotemanagement #RDP #msrdp #remotedesktop #Azure #bastion #SSH #terminall #VNC

czottmann, 2 months ago to macos German

TIL about Secretive, "an app for storing and managing SSH keys in the [Mac’s] Secure Enclave”. It has no external dependencies and comes with a #macOS native management app. Nice!

https://github.com/maxgoedjen/secretive

/via @jan_j

#security #ssh #TouchID

hko, 2 months ago to rust

I just released https://crates.io/crates/openpgp-card-ssh-agent version 0.2.0, an #SSH agent for #OpenPGP card users.

It contains exciting UX changes: after one-time initial setup, no user interaction is required.

The User PIN for cards is persisted in platform-specific secret storage. For all users whose threat model allows persisting PINs on the host (presumably most), this removes pin entry.

Required touch confirmation on the card (if enabled) is signaled with desktop notifications.

#OpenSSH #Rust #rustlang #HSM

kubikpixel, 2 months ago to security

Thank you @Kovah for your detailed article. This shows what the current #SSH keys #security is. Now ALL of us just have to realize and implement this:

«Why and How: Switch from #RSA to #EdDSA / #ED25519 SSH keys»

🔏 https://blog.kovah.de/en/2019/switching-from-rsa-to-eddsa-ec25519/

koehnlein, 2 months ago to security

“Why and How: Switch from RSA to EdDSA/ED25519 SSH keys”

A few months old but still important article by @Kovah https://blog.kovah.de/en/2019/switching-from-rsa-to-eddsa-ec25519/ #ssh #security #rsa #ed25519

vwbusguy, 3 months ago to vim

The good news is, I found a way to sync #vim and #tmux across ssh and sudo sessions.

https://github.com/vwbusguy/dotfiles/

#git #ssh #bash #Linux

vwbusguy, 3 months ago to random

It's 2024 and we still don't have a straightforward way for vimrc to persist across ssh sessions.