#openssh — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #openssh, aggregated by home.social.
-
@RuntimeArguments @jammcq @YesJustWolf
I've been a #UNIX user since 1984, and spent my working life developing flavors of Unix and now #Linux. I listened to this episode over the past couple of days. I'm a long time user of #SSH One point of confusion and a few points that I learned.
When talking about the origins of #OpenSSH you talked about #OpenBSD but didn't explain how it related to OpenSSH . Was OpenBSD involved in the creation of OpenSSH ? It could have used explanation.
1/2
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
Did a new release of ssh-tpm-agent.
https://github.com/Foxboron/ssh-tpm-agent/releases/tag/v0.9.0
`ssh-tpm-add` now supports `-c` for confirmation dialogs before key usage, along with a nice process chain. Thanks to @mic92
-
🕵🏻♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.
What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.
→ Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2026-shinyhunters-week-off-they-didn-t-take-one
If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI
-
*Root in 20 Minuten: Kritische Sicherheitslücke in #openssh Workarround-Anleitung ohne Update*
In den letzten 15 Jahren gibt es zahlreiche Versionen von OpenSSH. Eine schwerwiegende #sicherheitslucke betrifft diese Fernzugriffssoftware. Angreifer könnten unter bestimmten Voraussetzungen ungehindert Root-Zugriff auf betroffene Server erlangen. Wir beschreiben hier eine #Workaround Lösung für alle Administratoren die kein Update durchführen
https://raidrush.net/threads/root-in-20-minuten-kritische-sicherheitsluecke-in-openssh-workaround-ohne-update.865188/ -
*Root in 20 Minuten: Kritische Sicherheitslücke in #openssh Workarround-Anleitung ohne Update*
In den letzten 15 Jahren gibt es zahlreiche Versionen von OpenSSH. Eine schwerwiegende #sicherheitslucke betrifft diese Fernzugriffssoftware. Angreifer könnten unter bestimmten Voraussetzungen ungehindert Root-Zugriff auf betroffene Server erlangen. Wir beschreiben hier eine #Workaround Lösung für alle Administratoren die kein Update durchführen
https://raidrush.net/threads/root-in-20-minuten-kritische-sicherheitsluecke-in-openssh-workaround-ohne-update.865188/ -
*Root in 20 Minuten: Kritische Sicherheitslücke in #openssh Workarround-Anleitung ohne Update*
In den letzten 15 Jahren gibt es zahlreiche Versionen von OpenSSH. Eine schwerwiegende #sicherheitslucke betrifft diese Fernzugriffssoftware. Angreifer könnten unter bestimmten Voraussetzungen ungehindert Root-Zugriff auf betroffene Server erlangen. Wir beschreiben hier eine #Workaround Lösung für alle Administratoren die kein Update durchführen
https://raidrush.net/threads/root-in-20-minuten-kritische-sicherheitsluecke-in-openssh-workaround-ohne-update.865188/ -
*Root in 20 Minuten: Kritische Sicherheitslücke in #openssh Workarround-Anleitung ohne Update*
In den letzten 15 Jahren gibt es zahlreiche Versionen von OpenSSH. Eine schwerwiegende #sicherheitslucke betrifft diese Fernzugriffssoftware. Angreifer könnten unter bestimmten Voraussetzungen ungehindert Root-Zugriff auf betroffene Server erlangen. Wir beschreiben hier eine #Workaround Lösung für alle Administratoren die kein Update durchführen
https://raidrush.net/threads/root-in-20-minuten-kritische-sicherheitsluecke-in-openssh-workaround-ohne-update.865188/ -
*Root in 20 Minuten: Kritische Sicherheitslücke in #openssh Workarround-Anleitung ohne Update*
In den letzten 15 Jahren gibt es zahlreiche Versionen von OpenSSH. Eine schwerwiegende #sicherheitslucke betrifft diese Fernzugriffssoftware. Angreifer könnten unter bestimmten Voraussetzungen ungehindert Root-Zugriff auf betroffene Server erlangen. Wir beschreiben hier eine #Workaround Lösung für alle Administratoren die kein Update durchführen
https://raidrush.net/threads/root-in-20-minuten-kritische-sicherheitsluecke-in-openssh-workaround-ohne-update.865188/ -
`WARNING: connection is not using a post-quantum key exchange algorithm.`
Well that's a new one.
#ssh #OpenSSH #crypto #ActualCryptoNotStupidSpeculation #QuantumCryptography
-
Tää oli kyllä uskomaton tarina miten pienestä joskus voi asiat olla kiinni.
Muistakaa tukea ihmisiä jotka tekevät omalla vapaa-ajallaan ja omaksi ja muiden iloksi asioita. Usein pyyteettömästi. ❤️
-
An excellent video giving strong arguments why every single country should have a @sovtechfund like organization. Or better, an EU agency, in our case.
The Internet Was Weeks Away From Disaster and No One Knew
https://youtu.be/aoag03mSuXQ?si=vbfi9geBAgsj97EF#OpenSource #DigitalSovereignty #Internet #Sustainability #Linux #GNU #openssh #xz
-
Just learned about the existence of #PuttyCAC and that (supposedly) the Putty project rejected implementing OpenSC smartcard support.
So now the only way you can use a smartcard (aka. a yubikey) for SSH authentication with #FileZilla and/or #WinSCP is to use it as both still do NOT support #OpenSSH agent but only the Putty Pageant.
So if anyone else is looking for a way to use their smartcard with WinSCP or FileZilla, install OpenSC, reboot, install Putty-CAC, start Putty-CAC|s pageant.
-
Joost van Dijk from @yubico tells us about #OpenSSH combined with the #FIDO standard at the @nluug #najaarsconferentie. This info applies on any FIDO #securitykey, not just #yubikey.
#opensourceconference #Linuxconference #conference #conferentie #NLUUG #nluug25nj #hardwarekey
-
The #nosh Guide has a guide/virtual-terminal-login.html chapter on virtual terminal login, showing how all of the pieces fit together in such scripts, which bits are collectively what ttymon(1M) used to do and which bits are collectively what login(1M) used to do.
The same tools can be put together in other ways for other purposes. See the guide/login-conf.html chapter for how they can improve SSH by giving you ~/.login_conf support, for example.
-
@clacke Yes and no…
Instead of the overhead of containers, my 'jump' machines bind specific keys to the ssh commands that do the specifically authorized next hops and (where possible) restrict to specific client IPs. The OS of those machines are only accessible over a VPN or (for some VMs) a tightly secured web interface that has VNC over WebSockets inside a private network to their virtual consoles. -
@clacke Yes and no…
Instead of the overhead of containers, my 'jump' machines bind specific keys to the ssh commands that do the specifically authorized next hops and (where possible) restrict to specific client IPs. The OS of those machines are only accessible over a VPN or (for some VMs) a tightly secured web interface that has VNC over WebSockets inside a private network to their virtual consoles. -
@clacke Yes and no…
Instead of the overhead of containers, my 'jump' machines bind specific keys to the ssh commands that do the specifically authorized next hops and (where possible) restrict to specific client IPs. The OS of those machines are only accessible over a VPN or (for some VMs) a tightly secured web interface that has VNC over WebSockets inside a private network to their virtual consoles. -
@clacke Yes and no…
Instead of the overhead of containers, my 'jump' machines bind specific keys to the ssh commands that do the specifically authorized next hops and (where possible) restrict to specific client IPs. The OS of those machines are only accessible over a VPN or (for some VMs) a tightly secured web interface that has VNC over WebSockets inside a private network to their virtual consoles. -
@clacke Yes and no…
Instead of the overhead of containers, my 'jump' machines bind specific keys to the ssh commands that do the specifically authorized next hops and (where possible) restrict to specific client IPs. The OS of those machines are only accessible over a VPN or (for some VMs) a tightly secured web interface that has VNC over WebSockets inside a private network to their virtual consoles. -
When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.
The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.
Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?
-
When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.
The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.
Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?
-
When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.
The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.
Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?
-
When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.
The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.
Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?
-
When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.
The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.
Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?
-
Today i've learned that i don't need coder. I am now deploying an #ubuntu container from a #Dockerfile with an #openssh #server installed. This is a much better setup. Nearly every #Codeeditor supports #ssh workspaces so i'm not limited.
But the best thing about this setup is that it is very easy to automate using #Ansible.
I've used the same approach to set up #kali #linux environments months ago and should have stuck with that. It just works.
#clouddevelopment #clouddeveloperenvironments #docker #programming #coding #selfhosting #homelab #automation #coder
-
Call for testing: Last bits of DSA to be removed from OpenSSH https://www.undeadly.org/cgi?action=article;sid=20250506054255 #openbsd #openssh #ssh #dsa #dsaremoval #crypto #cryptography #ciphers #security #networking #development #freesoftware #libresoftware
-
Who else got tripped up by the new security settings in sshd (openssh) recently?
* PerSourcePenalties
* PerSourcePenaltyExemptListAnyone else notice that Android devices seem to trip these up specifically? Haven't dug into traces yet.
-
Who else got tripped up by the new security settings in sshd (openssh) recently?
* PerSourcePenalties
* PerSourcePenaltyExemptListAnyone else notice that Android devices seem to trip these up specifically? Haven't dug into traces yet.
-
Who else got tripped up by the new security settings in sshd (openssh) recently?
* PerSourcePenalties
* PerSourcePenaltyExemptListAnyone else notice that Android devices seem to trip these up specifically? Haven't dug into traces yet.
-
О механизмах безопасности OpenSSH: разбираем уязвимости 2024 года
Прошлый год интересно проходил для SSH. Весной — бэкдор в xz-utils (CVE-2024-3094), в результате эксплуатации которого были скомпрометированы системы с systemd. В июле — критически опасная уязвимость «состояния гонки» для систем на базе glibc, получившая название regreSSHion. Спустя еще неделю была опубликована схожая проблема, получившая идентификатор CVE- 2024- 6409. А в августе — еще одна, уже специфичная для FreeBSD, CVE-2024-7589. Как заявляют исследователи, успешная эксплуатация «состояний гонки» позволяет получить RCE (удаленное выполнение кода) на подверженных системах. Более того, regreSSHion — главный баг, ставящий под угрозу безопасность множества SSH-серверов с glibc. Интересно, что эксплуатация уязвимости не требует особой конфигурации сервера (проблема актуальна и для конфигурации по умолчанию). При этом публичного PoC нет до сих пор. Мы решили разобраться в вопросе: так ли страшны эти «состояния гонки», так ли критически опасны? И какие механизмы в sshd призваны не допустить эксплуатации этой уязвимости или хотя бы уменьшить ущерб в случае успешной атаки?
https://habr.com/ru/companies/pt/articles/877102/
#openssh #fsop #glibc #rce #seccomp #regression #состояние_гонки #freebsd #github #malloc
-
Another set of sshd-openpgp-auth and ssh-openpgp-auth releases is out:
This server and client-side tooling for managing the #authentication of #SSH host keys with the help of an #OpenPGP #certificate as trust anchor is now feature complete.
https://crates.io/crates/sshd-openpgp-auth
https://crates.io/crates/ssh-openpgp-auth
Many thanks to @wiktor for the great collaboration and #NLnet / #NGIAssure for funding this work!
#DNS #KeyOxide #KnownHosts #OpenSSH #PGPKI #Rust #Rustlang #Software #SSH #WebKeyDirectory #WebOfTrust #WKD #WoT -
We have just issued the first #release of #sshd-openpgp-auth and #ssh-openpgp-auth.
Using this server and client-side tooling it is possible to manage the #authentication of #SSH host keys with the help of an #OpenPGP certificate as trust anchor.
https://crates.io/crates/sshd-openpgp-auth
https://crates.io/crates/ssh-openpgp-auth
Many thanks to @wiktor for the great collaboration and #NLnet / #NGIAssure for funding this work!
#DNS #KeyOxide #KnownHosts #OpenSSH #Rustlang #Software #WebKeyDirectory #WebOfTrust #WKD #WoT
-
"⚠️ OpenSSH Flaw: Potential for Remote Command Execution ⚠️"
A now-patched flaw in OpenSSH could be potentially exploited to run arbitrary commands remotely on compromised hosts. Stay informed!
Source: [The Hacker News](https://thehackernews.com/)
Tags: #OpenSSH #Flaw #RemoteCommandExecution #CyberSecurity #PatchUp 💻🔐
