clifff @clifff

1 post1 participant0 posts today

**John Goerzen** @jgoerzen@floss.social · 2d

I recently bought a couple of YubiKey security keys. These support FIDO2/U2F, integrate well with #SSH

In researching how to do this, I found a lot of pages online with poor instructions. In many cases, they suggested insecure practices.

It turns out this whole process is quite easy. But I wanted to understand how it worked.

So, I figured it out, set it up myself, and then ut up a new, comprehensive page on my website: https://www.complete.org/easily-using-ssh-with-fido2-u2f-hardware-security-keys/ .

Blog post at https://changelog.complete.org/archives/10815-how-to-use-ssh-with-fido2-u2f-security-keys

www.complete.org · Jan 1, 1Easily Using SSH with FIDO2/U2F Hardware Security KeysA lot of new hardware security keys (Yubikey, Nitrokey, Titan, etc.) now support FIDO2 (aka U2F aka Webauthn aka Passkey; yes it’s a mess). So does OpenSSH. This spells good news for us, because it is far easier to use than previous hardware security types (eg, PKCS#11 and OpenPGP) with ssh. A key benefit of all this, if done correctly, is that it is actually impossible to access the raw SSH private key, and impossible to use it without the presence of the SK and a human touching it.

**IAintShootinMis** @iaintshootinmis@digitaldarkage.cc · May 13

May 13

IAintShootinMis @iaintshootinmis@digitaldarkage.cc

Man, #ssh never ceases to amaze me.

Just learned (after 15years on #linux) that you can execute a command on a remote host using the ' ' convention.

E.g.; ssh root@host 'date' will 1) start a connection, 2) execute date on the remote host 3) return the output of date 4) and finally close the connection.

Even better you can pipe things to the command. So echo "dog" | ssh root@1.x.x.x 'wall' will send the word "dog" to all logged in users.

I should have assumed something like this exists

Two terminal windows showing the command in the toot being executed on terminal 1, and be produced as a wall message on terminal 2. (The remote host)

**tinfoil-hat** @tinfoil-hat@social.tinfoil-hat.net · May 9

May 9

tinfoil-hat @tinfoil-hat@social.tinfoil-hat.net

Dropped a new Blogpost https://tinfoil-hat.net/posts/proxmox-server-vps-single-ip/

Please tell me what you think about it :-)

tinfoil-hat.nettinfoil-hat.net - Proxmox Server Vps Single IP

#Blog #Proxmox #Debian

**Jorijn Schrijvershof** @jorijn@jorijn.dev · May 7

May 7

Jorijn Schrijvershof @jorijn@jorijn.dev

Interesting article this morning: Are SSH Ed25519 keys safer than RSA keys?

https://security.stackexchange.com/questions/90077/ssh-key-ed25519-vs-rsa

(Spoiler: Perhaps, but it doesn't matter)

#DevOps #Security #SSH

**OSTechNix** @ostechnix@floss.social · May 6

May 6

OSTechNix @ostechnix@floss.social

How Tmux Saved My Work When SSH Kept Dropping and Why You Should Use Tmux for Unstable SSH Connections in Linux #tmux #ssh #secureshell #linux #tmuxtips #linuxadministration
https://ostechnix.com/use-tmux-unstable-ssh/

Replied in thread

**Kevin Karhan** @kkarhan@infosec.space · May 4 *

May 4 *

Kevin Karhan @kkarhan@infosec.space

@torproject Q: I wish there was a similar tool test #Bridges, as https://bridges.torproject.org/scan/ is not that good and I don't want to hammer it with dozens of addresses, cuz at best that's quite antisocial if not possibly trigger responses assuming this is an intelligence gathering operation.

Ideally sone standalone binary that one can just give a list of #TorBridge|s in a text file (similar to the way one can just past them in at #TorBrowser) would help.

I.e.

bridgetest -v4 obfs4 203.0.113.0:80 …

bridgetest -v6 webtunnel [2001:DB8::1]:443 …

bridgetest -list ./tor.bridges.list.private.tsv

But maybe #onionprobe already does that. In that case please tell me to "#RTFM!"…

Similarly there needs to be a more granular way to request #TorBridges from #BridgeDB (as it's basically impossible to get #IPv4 #Webtunnel addresses nor is there an option to filter for #ports like :80 & :443 to deal with restrictive #firewalls (i.e. on public #WiFi)…

there are flags like ipv6=yes but neither ipv4=yes nor ipv6=no yielded me other resultd than #IPv6 webtunnel bridges…

And before anyone asks: Yes, I do have a "legitimate purpose" as some of my contacts do need Bridges to get beyond a mandatory firewall and/or do use #TorBrowser (through an #SSH tunnel) to circumvent Tor & #VPN blocks and maintain privacy (as many companies do block sometimes entire #Hosters' ASNs due to rampant #scrapers…

bridges.torproject.orgThe Tor Project | Privacy & Freedom OnlineDefend yourself against tracking and surveillance. Circumvent censorship.

**Cyberduck** @cyberduck@fosstodon.org · Apr 30

Apr 30

Cyberduck @cyberduck@fosstodon.org

You can now configure #Bitwarden to be used as a #SSH agent for authentication with Cyberduck. https://docs.cyberduck.io/tutorials/sftp_publickeyauth_bitwarden/

docs.cyberduck.ioConfigure Public Key Authentication for SFTP using Bitwarden SSH Agent — Cyberduck Help documentation

**Jakub M** @kuba18i@mastodon.gamedev.place · Apr 29

Apr 29

Jakub M @kuba18i@mastodon.gamedev.place

If you're on phone, the Termux app can work as a PuTTY replacement, and when combined with the screen command, you can host multiple game servers on one Linux machine!

Mobile screenshot of a terminal, taking control of a game server.

#linux #termux #putty

Replied in thread

**Kevin Karhan** @kkarhan@infosec.space · Apr 21

Apr 21

Kevin Karhan @kkarhan@infosec.space

@shoppingtonz @alternativeto @torproject also every #Tunneling - regardless if #SSH or #VPN or whatever - will inevitably introduce #latency (unless you happen to be customer of a shitty #ISP with horrible #peering and thus can cut down on hops needed, which is AFAIK only a theoretical scenario)...

Outside of circumventing #Geoblocking and bypassing #IP-based #Banning (i.e. for #Cheating) I've not seen any use-cases.

In fact I stopped using #HEnet #Tunnelbroker and #IPv6-#GIF-Tunneling because it created more issued than it solved on my #IPv4only #Internet connection…

**Alexandre Dulaunoy** @adulau@infosec.exchange · Apr 17

Apr 17

Alexandre Dulaunoy @adulau@infosec.exchange

we talk about ssh with @jtk and bam there is this

https://vulnerability.circl.lu/vuln/CVE-2025-32433#sightings

“SSH server (Erlang) may allow an attacker to perform unauthenticated remote code execution (RCE).”

We should be careful when we talk.

vulnerability.circl.lucvelistv5 - CVE-2025-32433Vulnerability-Lookup - Fast vulnerability lookup correlation from different sources.

#vulnerability #ssh #erlang

**Royce Williams** @tychotithonus@infosec.exchange · Apr 16 *

Apr 16 *

Royce Williams @tychotithonus@infosec.exchange

Call for volunteer data:

Looking for real sets of hash-protected ssh ~/.ssh/known_hosts files/records, to tune cracking attack stacks on. The bigger the better.

Requirements: the cipher type and the fingerprint are not needed -- just need the hash and salt (first couple of base64 fields).

Individual cracks won't be published. If you want your own cracks, strong proof of ownership required. DM me!

#ssh #HashCracking

**Iain Cuthbertson** @bigcalm@mendeddrum.org · Apr 10

Apr 10

Iain Cuthbertson @bigcalm@mendeddrum.org

For your personal system hopping and coding - how many #SSH keys do you use?

35%One main one across all devices
53%One per device
12%Something else (please comment)

**Edwin G.** @EdwinG@mstdn.moimeme.ca · Apr 10

Apr 10

Edwin G. @EdwinG@mstdn.moimeme.ca

Portable OpenSSH 10.0p1 will not exist. It will be known as OpenSSH 10.0p2.

https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-April/000163.html
- - -
OpenSSH portable 10.0p1 n’existera pas. Ce sera connue comme OpenSSH 10.0p2.

// Publication en anglais //

lists.mindrot.org[openssh-unix-announce] Announce: OpenSSH 10.0 released

#OpenSSH #SSH

**OpenBSD Now!** @openbsdnow@bsd.network · Apr 9

Apr 9

OpenBSD Now! @openbsdnow@bsd.network

Alert when users log in from new locations

https://github.com/mricon/howler

GitHubGitHub - mricon/howler: Alert when users log in from new locationsAlert when users log in from new locations. Contribute to mricon/howler development by creating an account on GitHub.

#ssh #sec

Replied in thread

**Kevin Karhan** @kkarhan@infosec.space · Apr 8 *

Apr 8 *

Kevin Karhan @kkarhan@infosec.space

@JessTheUnstill @Pibble

And yes, I treat all devices as insecure and would rather invest the time and effort needed get #TechIlliterates up to speed on the #OfflinePGP method!

Sounds cumbersome, but when your threat model literally goes against the #1 #Hacking #Regime (#USA) with more #Exploits stockpiled than any hacking forum (cuz #NOBUS doctrine), you gotta have to upgrade.

Given the cheapness of storage (legitimate 1TB microSD cards exist and they ain't 4-digit items!) I'd legitimately look into #OTP #encryption and (IF I had the €€€€€€ to do so!) would even sponsor implementing it in #OpenVPN, #WireGuard and #OpenSSH (for #SSH-Tunmeling).

The #US is a #RogueNation with a Rogue Government! The sooner we accept this reality the sooner we can not only adjust to it but act accordingly…

I sincerely wish y'all could legitimately call me a tinfoilhat but so far I've been proven right all the time...

YouTube[English] Pfandleiher on... The offline-pgp-method and why Encrochat, SKY ECC and ANON are failing.By Pfandleiher

**Tomáš** @prahou@merveilles.town · Apr 7

Apr 7

Tomáš @prahou@merveilles.town

Fish gives Postman fish a letter. Postman fish travels through a dangerous evil forest. Postman fish reaches a computer. Postman fish checks Fish's letter. It says "ls" and a key is attached. Postman fish types ls on the computer. It prints the output of the command. Postman fish copies the output of the command and travels back to Fish. Postman fish hands Fish the output of "ls" in a neat envelope with a fish sticker.

#unix_surrealism #openbsd #openssh

**OSTechNix** @ostechnix@floss.social · Apr 4

Apr 4

OSTechNix @ostechnix@floss.social

Pico.sh: The SSH-Powered Services Every Developer Should Try #Pico #SSH #Developer #Webservice #Linux #SecureShell
https://ostechnix.com/pico-sh-ssh-powered-developer-services/

Replied in thread

**Kevin Karhan** @kkarhan@infosec.space · Apr 2

Apr 2

Kevin Karhan @kkarhan@infosec.space

@Yuki @OS1337 @bjornsdottirs no need to go beyond 1440kB when using mlb instead of #syslinux (which wastes 200kB on it's own!)

Also including the #initramfs into the #Kernel can save more due to better compression than two seperate files.

Needless to say the core idea is to be a continuation of #tmsrtbt and a "minimalist #linux distro" as in "#SSH #Terminal #Firmware"...

GitHubGitHub - OS-1337/mlb: Minimal Linux BootloaderMinimal Linux Bootloader. Contribute to OS-1337/mlb development by creating an account on GitHub.

#linux #SSH #terminal

**OSTechNix** @ostechnix@floss.social · Apr 1

Apr 1

OSTechNix @ostechnix@floss.social

A Complete Guide to Install, Enable, and Secure SSH on Fedora Linux 42 #SSH #SecureShell #Fedora #Linux #Security #Linuxhowto #Linuxadmin
https://ostechnix.com/set-up-configure-ssh-fedora/

**stib** @stib@aus.social · Apr 1

Apr 1

stib @stib@aus.social

If I have a #codeberg account set up, with a verified #ssh key on my account and the corresponding public and private keys in `~/.ssh/`, is there a way that I can make it so that it doesn't ask me for my keyphrase every time I push? I'm sure VSCode could do this, but since I've switched to #Helix, which doesn't have git built-in I've been manually doing the git stuff.
My knowledge of #cryptography and #git are well and truly at the 'barely enough to get myself into trouble' level.
#AskFedi

Recent searches

Search options

Administered by:

Server stats:

#SSH