Protecting sshd using spiped (2012)
The article highlights spiped as a secure pipe daemon to protect sshd, offering a simpler alternative to 'ssh -L' by establishing a pre-shared secret key between hosts. Spiped enhances server security efficiently.
Read original article
The article discusses the use of spiped, a secure pipe daemon, as a way to protect sshd and restrict access to the SSH daemon. Spiped offers a simpler alternative to 'ssh -L' by allowing the establishment of a pre-shared secret key between hosts. By running spiped on a server, configured to accept connections on a different port and connect to the SSH port, administrators can firewall off the standard SSH port while still allowing secure connections globally. The introduction of spipe, a client for the spiped protocol, further simplifies the process by encrypting a single connection. By integrating spiped with other daemons, additional encryption and authentication can be added. The article emphasizes the UNIX philosophy of creating simple components that can be easily assembled to solve complex problems, with spiped being highlighted as a versatile tool for enhancing security in server setups.
Related
SSH as a Sudo Replacement
Using SSH instead of sudo, the article addresses limitations of setuid binaries for privilege escalation. It details configuring s6-sudod to allow authorized users root access securely, emphasizing OpenSSH's security features.
The FreeBSD-native-ish home lab and network
The author details a complex home lab setup with a FreeBSD server on a laptop, utilizing Jails for services like WordPress and emphasizing security measures and network configurations for efficiency and functionality.
XZ backdoor: Hook analysis
Kaspersky experts analyzed the XZ backdoor in OpenSSH 9.7p1, revealing hidden connections, SSH authentication bypass, and remote code execution capabilities. The backdoor manipulates RSA keys, uses steganography, and executes commands.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.
OpenSSH Race condition resulting in potential remote code execution
OpenSSH 9.8, released on July 1, 2024, addresses critical security issues like ObscureKeystrokeTiming vulnerabilities in sshd(8) and ssh(1), plans to deprecate DSA support, and introduces penalties for failed authentications. Various improvements included.
2 commentsSigned binaries & docs: https://www.tarsnap.com/spiped.html
Golang implementation (2014 alpha): https://pkg.go.dev/github.com/dchest/spipe
Related
SSH as a Sudo Replacement
Using SSH instead of sudo, the article addresses limitations of setuid binaries for privilege escalation. It details configuring s6-sudod to allow authorized users root access securely, emphasizing OpenSSH's security features.
The FreeBSD-native-ish home lab and network
The author details a complex home lab setup with a FreeBSD server on a laptop, utilizing Jails for services like WordPress and emphasizing security measures and network configurations for efficiency and functionality.
XZ backdoor: Hook analysis
Kaspersky experts analyzed the XZ backdoor in OpenSSH 9.7p1, revealing hidden connections, SSH authentication bypass, and remote code execution capabilities. The backdoor manipulates RSA keys, uses steganography, and executes commands.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.
OpenSSH Race condition resulting in potential remote code execution
OpenSSH 9.8, released on July 1, 2024, addresses critical security issues like ObscureKeystrokeTiming vulnerabilities in sshd(8) and ssh(1), plans to deprecate DSA support, and introduces penalties for failed authentications. Various improvements included.