ports
openssh-portable
ports | openssh-portable | |
---|---|---|
14 | 41 | |
475 | 2,817 | |
1.7% | 2.4% | |
10.0 | 9.4 | |
5 days ago | 6 days ago | |
Makefile | C | |
- | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ports
- Wayland on OpenBSD
-
Firejail: Light, featureful and zero-dependency security sandbox for Linux
I think OpenBSD comes the closest to what you want with its two easy to use syscalls that provide syscall filtering and restricting access to paths:
https://man.openbsd.org/pledge.2
https://man.openbsd.org/unveil.2
A few random examples:
https://github.com/tmux/tmux/blob/c8494dff7b6b9a996866edaf8c...
https://github.com/openbsd/ports/blob/master/www/mozilla-fir...
https://github.com/openbsd/ports/blob/master/www/mozilla-fir...
To get the best isolation you need to patch the source — the application needs to go through initial setup and then drop privileges to the absolute possible minimum. But it's easy to make custom wrappers for third-party applications — the above profiles taken from the OpenBSD ports tree are the proof.
-
Understanding rc.d/
Have you checked the no-ip port: https://github.com/openbsd/ports/blob/master/net/no-ip/pkg/noip2.rc
-
OpenBSD: Shutdown/reboot now require membership of group _shutdown
> https://github.com/openbsd/ports/commit/bf33ea5f3ff390d8cde3...
Now, this is surprising. I randomly clicked on that link and I immediately see that the code and the patch has a bug. It only checks the first 8 characters:
- if (gr != NULL && strncmp(gr->gr_name, "operator", 8) == 0)
-
Does OpenBSD have temperature monitoring and CPU usage issues?
Some people are working around this by using obsdfreqd, some by patching sys/kern/sched_bsd.c (change if (hw_power) to if (0 && hw_power)), some by simply setting to a lower speed (sysctl hw.perfpolicy=manual and hw.setperf=99 might be enough as this disables turbo mode found on some CPUs).
-
How to compile something that requires OpenSSL?
You could also look into a port that has a hard dependency on openssl like: https://github.com/openbsd/ports/tree/master/security/sslscan
-
How I would sell OpenBSD as a salesperson
For me it's the ease of management and good documentation.
For example, during 6.8 to 6.9 upgrade, there was a major postgresql upgrade.
It is mentioned in the doc https://www.openbsd.org/faq/upgrade69.html (see Special packages at the bottom).
You're redirected to the package README with special instructions on how to setup and upgrade: https://github.com/openbsd/ports/blob/master/databases/postg...
Et voilà, everything is explained.
On debian, if I am not careful, I'll do an upgrade and risk breaking something during a db migration (I'm looking at you MySQL upgrades...).
- So I installed OpenBSD 7.0 on my iMac G3 and well no desktop environment will fully install because of missing packages… even compiling CDE was a no go because KSH93 is broken on macppc. At least it’s a step in the right direction as far as getting anything graphical working.
-
OpenBSD Gaming Updates Q2 2022
Godot engine gamecontroller support. This is limited and incomplete, but it's a start. A huge number of indie games made with Godot are released every week; most of which work at least partially with an XBox {360,One} controller. You can follow This Week in Godot if you're interested.
-
Handling argc==0 in the Linux kernel
> OpenBSD has handled this case for some years. I do not know if there was any breakage or fallout from this.
The other thing about OpenBSD is that when they make a change to their OS, they also go through to make sure all the (third-party) ports/packages:
* https://cvsweb.openbsd.org/ports/
* https://github.com/openbsd/ports
do not break. So they're create patches for the software and and submit them upstream.
openssh-portable
-
New startup sells coffee through SSH and exclusively through SSH
Default for the last 24 years according to https://github.com/openssh/openssh-portable/blame/385ecb31e1...
-
Systemd Wants to Expand to Include a Sudo Replacement
They didn't need to use the library to make use of the systemd notify mechanism, which is simple to interface and quite a nice feature in the first place.
The free-standing implementation: https://github.com/openssh/openssh-portable/commit/08f579231...
-
Terrapin Attack for prefix injection in SSH
Unless I'm misunderstanding what this is about RFC5647 merely points out that the sequence number is included as AAD due to RFC4253 requirements. The [email protected] specification is not exactly the most rigorous thing I've ever seen (https://github.com/openssh/openssh-portable/blob/master/PROT...) but reading it, the sequence number is only included in the IV, and not as AAD, which directly runs afoul of the RFC4253 section 6.4 requirement for it to be included in the MAC.
- SSH3: SSH using HTTP/3 and QUIC
-
SSH keys stolen by stream of malicious PyPI and NPM packages
The key layout is described in https://github.com/openssh/openssh-portable/blob/master/PROT... and you can view it pretty easily via
cat private_key_here | head -n -1 | tail -n +2 | base64 -d | xxd
One I created in 2016 is using aes256-cbc with bcrypt for the kdf, which isn't awful at all.
-
Microsoft signing keys were leaked
Interestingly, it looks like ssh-agent disables core dumps[1], but I don't see similar usage for sshd
1: https://github.com/openssh/openssh-portable/blob/694150ad927...
-
An Excruciatingly Detailed Guide to SSH (But Only the Things I Find Useful)
There's a current pull request for adding AF_UNIX support, which should make all kinds of exciting forwarding possible, since it will make it easy to proxy ssh connections through an arbitrary local process which can do anything to forward the data to the remote end.
https://github.com/openssh/openssh-portable/pull/431
-
Project on GitHub - Customizable Arch Linux Podman images based on the official Arch Linux Docker image
OpenSSH server (allows connecting to containers)
-
Funds of every Trust Wallet browser extension could have been stolen
It doesn't, at least not for generic/unmodified cryptographic applications.
WebAuthN signatures are of a very specific challenge/response format that applications need to explicitly support. For example, SSH had to add new key and signature formats [1] to support it.
Theoretically, a blockchain/cryptocurrency application could adopt the WebAuthN signature format as its canonical or an alternative signature format, but I'm not aware of any popular one having done so.
[1] https://github.com/openssh/openssh-portable/blob/master/PROT...
-
We updated our RSA SSH host key
I just tested it and looked at the code briefly; the client fortunately does seem to remove all keys not provided by the server: https://github.com/openssh/openssh-portable/blob/36c6c3eff5e...
It seems like at least a `known_hosts` compromise would be "self-healing" after connecting to the legitimate github.com server once.
What are some alternatives?
mlvwm - Macintosh-like Virtual Window Manager (official repo)
gentoo - [MIRROR] Official Gentoo ebuild repository
NsCDE - Modern and functional CDE desktop based on FVWM
guardian-agent - [beta] Guardian Agent: secure ssh-agent forwarding for Mosh and SSH
xcape - Linux utility to configure modifier keys to act as other keys when pressed and released on their own.
wezterm - A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust
dxvk-native - D3D9/11 but it runs natively on Linux!
ssh-mitm - SSH-MITM - ssh audits made simple
OpenBSD-Games-Database - Database of games that run on OpenBSD
mac-ssh-confirm - Protect against SSH Agent Hijacking on Mac OS X with the ability to confirm agent identities prior to each use
Perimeter
OpenSSL - TLS/SSL and crypto library