Collaborate Disseminate
Using the Secure Secure Shell guide by Stribika, the current recommended MACs line is:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.co… Continue reading Can’t append or redefine MACs in ssh_config (`MACs +algo`)
I need to test maximum-packet-size for SSH protocol. Would be grateful for information on possible tools that can be used for this. What I specifically need is the possibility to indicate packet length and to insure that data… Continue reading tools for testing ssh packets size [on hold]
I need to test maximum-packet-size for SSH protocol. Would be grateful for information on possible tools that can be used for this. What I specifically need is the possibility to indicate packet length and to insure that data… Continue reading tools for testing ssh packets size [on hold]
I am trying to get my ssh public key from my windows client to ubuntu host, but I have no idea how to. I tried to find the authorized_keys file, but had zero success. ssh-copy-id command did not work from windows. I generated the public/pr… Continue reading Copy SSH Public Key from Windows to Ubuntu
I have a newly installed (and updated) Centos 7 server I use for testing.
I implemented RSA key based authentication for ssh and set PermitRootLogin to without-password
When I logged on this morning I ran netstat -plant and… Continue reading How secure is ssh key-based authentication
I’d like to exchange files between a virtual machine (Ubuntu 16.04) and a Windows 10 machine and occasionally control the VM from the Windows machine.
I’ve decided I could use SSH. Mostly because I’d like to learn how to use… Continue reading Using ssh between Ubuntu VM and Windows host, possible threats of a customized setup?
Securely authenticate SSH hosts
I have successfully used both OpenSSH Certificates and SSHFP to authenticate hosts when connecting to servers using SSH. But I fail to find a way to require the combination of these. Is there … Continue reading How to force openssh client to require both SSH certificate and SSH fingerprint?
I am conducting a pentest where I got stuck on the following problem:
I found a LFI in a php file. I am trying to exploit it and to get a shell or any further usage out of it but until now without any success. I tried
to read log files (a… Continue reading How to further exploit LFI / ssh / mysql
I understand that it is better to use a passphrase for SSH private keys so that even if someone accesses your machine, they can’t simply SSH into a protected machine using your keys.
My question is specific to a certificate … Continue reading What is the risk if I don’t have a passphrase associated with CA private key?
I discovered the newer OpenSSH format for storing SSH private keys (ssh-keygen -o) uses bcrypt to generate the symmetric key to encrypt the private key. I understand that the -a option is used to adjust the bcrypt work factor. However, I don’t understand the exact relationship between the work factor and the given value. -a 200 takes about 5 seconds on my CPU, while this benchmark maxes out with a work factor of 20 taking over a minute. The work factor is a logarithmic scale, and I doubt my laptop is really >2^10 times faster than this person’s laptop.
Clearly -a does not directly translate to the bcrypt work factor. So what is the relationship?
The reason I want to know is to extrapolate a “worst-case” cracking rate for my chosen -a value based on this benchmark of a top-end (for 2017) cracking rig (which guesses ~100k hashes/sec across 8 GPUs, using a bcrypt work factor of 5 for the tests).
Continue reading What does ssh-keygen’s -a option really mean?