When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.

The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.

Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?

#infosec #bastion #jumphost
#ssh #sshd #OpenSSH

github-keygen v1.401 is released.

An hybrid post quantum algorithm is added to the configuration, in hope it will be supported server side by GitHub.

Also a few Windows fixes.

Full changes: https://github.com/dolmen/github-keygen/releases/tag/v1.401

My first commit on that project was 14 years ago. Time flies!

I'm betting the answer here is "this isn't possible" but if anyone knows how to tell OpenSSH that when it's enumerating pubkeys it should check which of the two known authentication dongles is actually plugged into the computer, and only prompt me to unlock the SK key that belongs to that dongle, not both of them, please tell me how.

OpenSSH Config Tags How To

https://mrod.space/2023/09/04/using-tags-in-ssh-config

To be honest I did not know tags existed in #OpenSSH

If you're on #Debian stable but would like a PQ key exchange algorithm on your SSH service, #OpenSSH 10 is available in the Bookworm backports with the following release notes.

Multiplexing will boost your SSH connectivity or speed by reusing existing TCP connections to a remote host. Here are commands that you can use to control multiplexing when using OpenSSH server or client on your Linux, macOS, FreeBSD or Unix-like systems. Not sure what SSH multiplexing is? Learn how to set it up and use it to speed up your SSH sessions with our handy guide: https://www.cyberciti.biz/faq/ssh-multiplexing-control-command-to-check-forward-list-cancel-stop-connections/

A very welcome change in #OpenBSD -current that impacts software which restrict filesystem access with unveil(2), but permit access to /tmp (like web browsers). ​

ssh-agent(1) listener sockets and forwarded sockets in sshd(8) will now be under ~/.ssh/agent instead.

djm@ modified src/usr.bin/ssh/*: Move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).

This ensures processes (such as Firefox) that have restricted filesystem access that includes /tmp (via unveil(3)) do not have the ability to use keys in an agent.

Moving the default directory has the consequence that the OS will no longer clean up stale agent sockets, so ssh-agent now gains this
ability.

To support $HOME on NFS, the socket path includes a truncated hash of the hostname. ssh-agent will by default only clean up sockets from the same hostname.

ssh-agent gains some new flags: -U suppresses the automatic cleanup of stale sockets when it starts. -u forces a cleanup without keeping a running agent, -uu forces a cleanup that ignores the hostname. -T makes ssh-agent put the socket back in /tmp.

feedback deraadt@ naddy@
doitdoitdoit deraadt@

OK, this is a thing I didn't know. In #openssh config files, the first mention wins, not the last.

The overrides in the .d directories are included *first* (normally this happens last - see nginx, sudo, etc) which is how they override things.

https://utcc.utoronto.ca/~cks/space/blog/sysadmin/OpenSSHConfigOrderMatters

OpenSSH 10.0/10.0p2 released https://www.openssh.com/releasenotes.html#10.0p1

Portable OpenSSH 10.0p1 will not exist. It will be known as OpenSSH 10.0p2.

https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-April/000163.html
- - -
OpenSSH portable 10.0p1 n’existera pas. Ce sera connue comme OpenSSH 10.0p2.

// Publication en anglais //

OpenSSH 10.0 released with hybrid post-quantum algorithm mlkem768x25519-sha256 as default key agreement, new cipher preference list, new options, bug fixes

https://www.openssh.com/releasenotes.html

#OpenSSH 10.0 release notes: https://www.openssh.com/txt/release-10.0

In addition to removing DSA, this splits the user authentication code from the sshd-session binary into a separate sshd-auth binary. Also only #OpenBSD, this new sshd-authd is relinked on boot, just like sshd-session & sshd.

Sicherheitsupdate OpenSSH: Angreifer können sich in Verbindungen einklinken | heise online
https://heise.de/-10287547 #Dateiübertragungssoftware #OpenSSH #Sicherheitslücken #Update

#OpenSSH has a MitM vulnerability when using `VerifyHostKeyDNS` (CVE-2025-26465).

The attack has the hostile server running the client out of memory, which then circumvents the hostkey verification *completely*.

The default for `VerifyHostKeyDNS` is `no`, but if you change that, until you can upgrade to 9.9p2, better keep it at `VerifyHostKeyDNS=no`.

https://www.openwall.com/lists/oss-security/2025/02/18/1

#OpenSSH 9.9p2 -portable was released, fixing two security issues reported by Qualys Security.

https://www.openssh.com/releasenotes.html#9.9p2

A binary syspatch is also available for #OpenBSD 7.5/7.6.