openssh-portable
guardian-agent
Our great sponsors
openssh-portable | guardian-agent | |
---|---|---|
39 | 5 | |
2,807 | 433 | |
3.3% | 0.5% | |
9.4 | 0.0 | |
about 18 hours ago | 9 months ago | |
C | Go | |
GNU General Public License v3.0 or later | BSD 3-clause "New" or "Revised" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
openssh-portable
-
Terrapin Attack for prefix injection in SSH
Unless I'm misunderstanding what this is about RFC5647 merely points out that the sequence number is included as AAD due to RFC4253 requirements. The [email protected] specification is not exactly the most rigorous thing I've ever seen (https://github.com/openssh/openssh-portable/blob/master/PROT...) but reading it, the sequence number is only included in the IV, and not as AAD, which directly runs afoul of the RFC4253 section 6.4 requirement for it to be included in the MAC.
- SSH3: SSH using HTTP/3 and QUIC
-
SSH keys stolen by stream of malicious PyPI and NPM packages
The key layout is described in https://github.com/openssh/openssh-portable/blob/master/PROT... and you can view it pretty easily via
cat private_key_here | head -n -1 | tail -n +2 | base64 -d | xxd
One I created in 2016 is using aes256-cbc with bcrypt for the kdf, which isn't awful at all.
-
Microsoft signing keys were leaked
Interestingly, it looks like ssh-agent disables core dumps[1], but I don't see similar usage for sshd
1: https://github.com/openssh/openssh-portable/blob/694150ad927...
-
An Excruciatingly Detailed Guide to SSH (But Only the Things I Find Useful)
There's a current pull request for adding AF_UNIX support, which should make all kinds of exciting forwarding possible, since it will make it easy to proxy ssh connections through an arbitrary local process which can do anything to forward the data to the remote end.
https://github.com/openssh/openssh-portable/pull/431
-
Project on GitHub - Customizable Arch Linux Podman images based on the official Arch Linux Docker image
OpenSSH server (allows connecting to containers)
-
Funds of every Trust Wallet browser extension could have been stolen
It doesn't, at least not for generic/unmodified cryptographic applications.
WebAuthN signatures are of a very specific challenge/response format that applications need to explicitly support. For example, SSH had to add new key and signature formats [1] to support it.
Theoretically, a blockchain/cryptocurrency application could adopt the WebAuthN signature format as its canonical or an alternative signature format, but I'm not aware of any popular one having done so.
[1] https://github.com/openssh/openssh-portable/blob/master/PROT...
-
We updated our RSA SSH host key
I just tested it and looked at the code briefly; the client fortunately does seem to remove all keys not provided by the server: https://github.com/openssh/openssh-portable/blob/36c6c3eff5e...
It seems like at least a `known_hosts` compromise would be "self-healing" after connecting to the legitimate github.com server once.
- What do you think 1.20 will be called?
-
OpenAI Execs Say They're Shocked by ChatGPT's Popularity
And OpenVAS and OpenSSH and OpenBSD and OpenNN and OpenAFS and on and on and on
guardian-agent
-
Restricting SSH Agent Keys
https://github.com/StanfordSNR/guardian-agent
The problem basically is the current agent forwarding protocol doesn't have a way to reliably identify the source and remote host that can't be spoofed. guardian-agent tries to do that using some extra software, this linked SSH proposal is to add that to SSH but it will require software upgrades even to the sshd of the intermediate and remote hosts - it's not ideal that it can't just work out of the box - but I welcome this we just need to get it done now for later.
I frequently finding myself thinking about adding useful things to software I want to use now and go well it will be years before its on every host I use and can be used reliably. I have had this thought on and off for more than a decade. Ship some new stuff, it'l be great later :D
-
The pitfalls of using SSH-agent, or how to use an agent safely
ObPlug for Guardian Agent, which is basically "safe" ssh-agent forwarding (and works with Mosh and SSH): https://github.com/StanfordSNR/guardian-agent
The basic story is that ssh-agent really just exposes a primitive of "please sign this challenge," which is useful locally, but the protocol wasn't designed to be forwarded. If requests are coming from a semi-trusted intermediary host, the protocol doesn't tell the agent (a) what remote server is being authenticated to [i.e., who generated the challenge?], or (b) what command is going to be executed. It doesn't even really know (c) what (semi-trusted) host has forwarded the challenge?
Guardian Agent is a sort of hack that allows the agent to know (a), (b), and (c) before deciding whether to grant or deny the request, and you can set up policies like, "I'd like to allow `jump host x` to use to run "git pull" when talking to `git server y`, but that's it." The basic ssh-agent protocol just doesn't have enough info to be able to do something like that.
-
Mosh: The Mobile Shell
there is a fork with port forwarding support https://github.com/rinne/mosh and a PR with a long discussion https://github.com/mobile-shell/mosh/pull/696 on why it's not merged
you can compile them yourself or if you want to skip the step I recently set up GitHub actions to compile linux binaries of this [1][2], tested by a sample of 1 so no guarantees it works, was planning on doing a tap PR/tap of it at some point
also the official developers have been involved a project to solve this while improving the whole-agent approval things also https://github.com/StanfordSNR/guardian-agent , but I couldn't get it to work which is why I tried the fork and got that working
[1] https://github.com/gnyman/mosh/actions/runs/1068715036
-
AskReddit: is there such a thing as async SSH that allows for zero latency typing? (explanation in text)
‘mosh’ is amazing for this, although I had to stop using it years ago because it didn’t support key forwarding. Apparently, there’s now a solution for that: https://github.com/StanfordSNR/guardian-agent
What are some alternatives?
gentoo - [MIRROR] Official Gentoo ebuild repository
Mosh - Mobile Shell
wezterm - A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust
muxile - Putting tmux on your mobile - Muxile is a tmux plugin that lets you control a running tmux session with your phone, no app needed.
ssh-mitm - SSH-MITM - ssh audits made simple
mosh - Mobile Shell
mac-ssh-confirm - Protect against SSH Agent Hijacking on Mac OS X with the ability to confirm agent identities prior to each use
DomTerm - DOM/JavaScript-based terminal-emulator/console
ports - Read-only git conversion of OpenBSD's official cvs ports repository. Pull requests not accepted - send diffs to the ports@ mailing list.
OpenSSL - TLS/SSL and crypto library
widecharwidth - public domain wcwidth implementation