I have the real way to prevent #openssh backdoors. Never enable sshd on a system and instead go back to the old tried and true method of communicating remotely over physical RS-232 instead.
I had to install #Git on a #Windows machine today and OH MY GOD I forgot how complex of a set up process it is. I went through it again just to count the unbelieveable number of steps it took:
License agreement.
Which components to install (includes proper nouns like "Git Bash", "Git LFS", and "Scalar"). Notably does not enable automatic updates by default.
Default editor for Git (doesn't include #Emacs as an option).
Lasse Colin posted an update on the #xz#openssh backdoor situation. It doesn't give a lot of details, but still useful as a primary source of information.
TL;DR: Damage control is underway in the project, but it's been somewhat inhibited by #Github taking it down and suspending Lasse's account.
We currently sign our factory images releases with the signify tool from OpenBSD. It provides tiny signatures that are easy to verify on any distribution with signify in their repositories. This is much less important than in the past because you can verify the completed install.
reading more about this wild xz hack, it sounds so complex given the number of system level dependencies that exist. kudos to the people who have found it and are working to protect the community.
Avec un peu de chance, #OpenSSH 9.5 arrivera dans #Debian Testing (aka #Trixie) d'ici le début de semaine prochaine.
En l'état, OpenSSH est bloqué car il migre après OpenSSL. OpenSSL dont la migration de 3.0.x vers 3.1.x est bloquée par nodejs, qui est bloqué par node-babel7 (qui est en cours de déblocage)
Introducing a new Hashtag: #BigJiaTanVibes To be used when someone tries to put abusive pressure on a maintainer to make way for whatever feature (or obfuscated backdoor) they claim is needed.
Can also be used in a positive way, e.g. when after many years a truly helpful feature gets included as a result of the negative outcome of said hashtag.
Example for the positive version: systemd notify is now implemented natively, without dependency, to #OpenSSH.
Schreibe momentan an einem Artikel zu FIDO2 / U2F Sicherheitsschlüsseln wie SoloKey2, YubiKey5 oder NitroKey3.
Es wird darum gehen wie diese Keys mit standard tools eingerichtet und für Login in Linux oder OpenSSH eingesetzt werden können (am beispiel Fedora Linux). Vielleicht nehme ich auch gleich LUKS decryption mit auf, sonst kommt das hinterher
Habt ihr ein besonderes Interesse bzw. Fragen auf die ich besonderen Wert legen soll?
This release shows more output for error cases, both in the log output, and with GUI notifications.
I also published an updated version 0.0.3 of https://crates.io/crates/openpgp-card-state, which contains a low-level CLI tool to help with debugging/development. This version gives more debugging output for error cases.
"This dependency existed not because of a deliberate design decisionby the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd."
#Fabric 3.1 / #Paramiko 3.2 out now, after months of hacking, rewriting, cursing ancient design decisions that don't work w/ non-OpenSSH targets, & so on & so forth.
Most of this is opt-in, experimental, and incomplete - but hey, it works well enough that my colleagues can get their ssh-agents and passphraseless pubkeys working with both #OpenSSH and #Teleport!
Solid foundation, living room furnished…rest of house forthcoming 😂
I just found that the #OpenSSH client is unresponsive to Ctrl+C in early connection phase.
I am ssh-ing into a remote #Linux machine that’s going out of RAM. The remote is swapping heavily and answers /really/ slowly. Until the session is established the ssh command won’t terminate on Ctrl+C. Only a SIGTERM makes it terminate.
what's really wild is that I bet state actors could just find and offer money to unscrupulous open source contributors instead of wasting years on infiltration.
I bet somebody like that has his DMs open right now and state actors just have to be brave enough to reach out.
heck, state actors, I bet the answer is right in front of your eye sacks.
to repeat, the ANSWER is in front of your EYE SACK...