|
Wicaeed posted:Is it common practice for a third party we use to host an external support website (these guys are pretty large too) to ask for the following?
|
#
?
Sep 1, 2017 20:53
|
|
|
|
| # ? May 12, 2024 13:44 |
|
|
Wicaeed posted:Doesn't sending the private keys to someone that didn't generate them defeat one of the basic points of a loving private key? Yes, it does.
|
|
#
?
Sep 1, 2017 21:13
|
|
|
It makes more sense when they can't generate a CSR. Either they are incapable of doing so, or they don't know how. 
|
|
#
?
Sep 1, 2017 21:16
|
|
|
anthonypants posted:It makes more sense when they can't generate a CSR. Either they are incapable of doing so, or they don't know how. If someone tells me they can't generate a CSR, after I giggle arrogantly I usually just link them the google results for certutil or openssl or whatever, because jesus christ it's 2017 and still no one knows what a certificate is or how they work
|
|
#
?
Sep 1, 2017 21:24
|
|
|
CLAM DOWN posted:If someone tells me they can't generate a CSR, after I giggle arrogantly I usually just link them the google results for certutil or openssl or whatever, because jesus christ it's 2017 and still no one knows what a certificate is or how they work
|
|
#
?
Sep 1, 2017 21:34
|
|
|
anthonypants posted:I had to argue with a guy about using 1024-bit keys not too long ago, and now I'm having the argument with him that 7zip 9.20 DLLs on a public share isn't a security risk. 
|
|
#
?
Sep 1, 2017 21:50
|
|
|
Our industry is quite literally a hopeless endeavour
|
|
#
?
Sep 1, 2017 21:50
|
|
|
Certified Information Systems Sisyphus Professional
|
|
#
?
Sep 1, 2017 22:03
|
|
|
Phasing out 3DES is going to be a huge PITA since its the last symm cipher XP/2003 and older systems have left and the world is going to scream murder over it.
|
|
#
?
Sep 1, 2017 22:04
|
|
|
BangersInMyKnickers posted:Phasing out 3DES is going to be a huge PITA since its the last symm cipher XP/2003 and older systems have left and the world is going to scream murder over it. It will be painful, but it will also be glorious.
|
|
#
?
Sep 1, 2017 22:56
|
|
|
BangersInMyKnickers posted:Phasing out 3DES is going to be a huge PITA since its the last symm cipher XP/2003 and older systems have left and the world is going to scream murder over it. ugh you'd think those nintendo scientists would be better at math
|
|
#
?
Sep 1, 2017 23:06
|
|
|
Contracted out some work to a developer. I'm not sure they entirely understand how to use SSH, and then they were complaining they couldn't connect to our server to transfer some files. sshd[7666]: fatal: Unable to negotiate with x.x.x.x port x: no matching cipher found. Their offer: 3des-cbc,arcfour,cast128-cbc,twofish-cbc,blowfish-cbc,twofish128-cbc,aes128-cbc,aes256-cbc [preauth] Software they are trying to use (CuteFTP I think) is so outdated all of the ciphers are disabled by default in Ubuntu 16.
|
|
#
?
Sep 2, 2017 11:48
|
|
|
CLAM DOWN posted:Reading cissp material is enough to make me want to off myself out of boredom. Why am I doing this. Just spent the past couple months doing a few ITIL and PRINCE2 certs, and I can't even find the right words to describe how awful it was. Nothing I've done before even comes close to the level of pain it caused me to sit through hours and hours and hours of boring lectures. I can barely make it through a page of the official manuals without my brain just disengaging from my eyes. ITIL was the worst, at least PRINCE2 had some useful information, and even drank a bit of the PRINCE2 kool-aid and could see myself applying parts of it pretty regularly in the future. Sure makes the AWS training I'm doing now about a billion times more enjoyable, now that I know how bad things can be.
|
|
#
?
Sep 2, 2017 11:56
|
|
|
Cowboy Mark posted:Contracted out some work to a developer. I'm not sure they entirely understand how to use SSH, and then they were complaining they couldn't connect to our server to transfer some files. A long while ago, I set up a dev environment on digital ocean for some subcontractors to work with. They had no sort of pki in place, and no real idea how to do it, so I cut them a working key under a new root, delivered it by hand, and showed them how to use it with putty. 3AM, I get a message from DO saying that the server is racking up abuse complaints. The only thought I had was that the subcontractor must be breached. Lo, that's how those dudes found out that they had been hosed for awhile. I was glad we didn't give them direct access to our poo poo.
|
|
#
?
Sep 2, 2017 12:20
|
|
|
Cowboy Mark posted:Software they are trying to use (CuteFTP I think) is so outdated all of the ciphers are disabled by default in Ubuntu 16.
|
|
#
?
Sep 2, 2017 13:49
|
|
|
quote:and send everything in plaintext, rather than at least trying, That's not how SSH works at all
|
|
#
?
Sep 2, 2017 14:28
|
|
|
Ubuntu sacrifices practicality for security 
|
|
#
?
Sep 2, 2017 14:32
|
|
|
The stance is "upgrade your old poo poo"
|
|
#
?
Sep 2, 2017 16:08
|
|
|
Rufus Ping posted:That's not how SSH works at all How to recompile sshd to be able to support cipher "none" dont do this
|
|
#
?
Sep 2, 2017 16:29
|
|
|
My apologies, I misread it. Thought it was about an outdated ftp client not sshd. Although it's technically possible to send files over ssh, it's a lot easier to use scp.
|
|
#
?
Sep 2, 2017 18:32
|
|
|
EVIL Gibson posted:How to recompile sshd to be able to support cipher "none" This is the abyss
|
|
#
?
Sep 2, 2017 18:55
|
|
|
D. Ebdrup posted:My apologies, I misread it. Thought it was about an outdated ftp client not sshd. Although it's technically possible to send files over ssh, it's a lot easier to use scp. scp is ssh. That is HOW you send files over ssh in a unix to unix transfer. For sending from a windows box sftp is usually easier to get going, in so far as modern ftp clients will automagically use it if you tell them to connect on port 22 instead of 21.
|
|
#
?
Sep 2, 2017 19:05
|
|
|
RFC2324 posted:scp is ssh. That is HOW you send files over ssh in a unix to unix transfer. For sending from a windows box sftp is usually easier to get going, in so far as modern ftp clients will automagically use it if you tell them to connect on port 22 instead of 21. C'mon y'all, let's have arguments over which secure ftp to use: SFTP or FTPS .
|
|
#
?
Sep 2, 2017 19:40
|
|
|
Why not SFTPS?
|
|
#
?
Sep 2, 2017 19:41
|
|
|
EVIL Gibson posted:C'mon y'all, let's have arguments over which secure ftp to use: SFTP or FTPS . sftp. That way you don't have to deal with loving SSL certs in a way that was never intended.
|
|
#
?
Sep 2, 2017 19:44
|
|
|
RFC2324 posted:sftp. That way you don't have to deal with loving SSL certs in a way that was never intended.
|
|
#
?
Sep 2, 2017 19:49
|
|
|
If you use FTPS I'm going to judge you then mock you then disregard your opinion on anything else.
|
|
#
?
Sep 2, 2017 20:16
|
|
|
RFC2324 posted:scp is ssh. That is HOW you send files over ssh in a unix to unix transfer. For sending from a windows box sftp is usually easier to get going, in so far as modern ftp clients will automagically use it if you tell them to connect on port 22 instead of 21. I was talking about piping standard streams through ssh, like you do with zfs send | receive - because I'd just been doing that to back up stuff, and it reminded me that you could theoretically do that.
|
|
#
?
Sep 3, 2017 09:25
|
|
|
D. Ebdrup posted:I was talking about piping standard streams through ssh, like you do with zfs send | receive - because I'd just been doing that to back up stuff, and it reminded me that you could theoretically do that.
|
|
#
?
Sep 3, 2017 10:12
|
|
|
I took many a snapshot backup of a project via tar czf - dir/ | ssh host "cat > backup.tar.gz" E: I ran a UUCP node at one point, but I don't recall a link between UUCP and the Berkeley rlogin suite. Is that based on anything other than the naming of the two commands? Subjunctive fucked around with this message at 10:28 on Sep 3, 2017 |
|
#
?
Sep 3, 2017 10:20
|
|
|
EVIL Gibson posted:How to recompile sshd to be able to support cipher "none" Reminds of this load generator company that claims 200,000 TLS/sec on their datasheet. When you ask which cipher they won't tell you (I suspect it's a null cipher).
|
|
#
?
Sep 3, 2017 10:30
|
|
|
Subjunctive posted:I took many a snapshot backup of a project via tar czf - dir/ | ssh host "cat > backup.tar.gz" So it turns out I'm actually just a stupid-head.
|
|
#
?
Sep 3, 2017 12:23
|
|
|
anthonypants posted:what the gently caress I've used this trick to run packet captures on a remote system that get routed in real time to Wireshark on my local system. SSH can be abused in all kinds of hilarious and useful ways.
|
|
#
?
Sep 3, 2017 15:26
|
|
|
wolrah posted:I've used this trick to run packet captures on a remote system that get routed in real time to Wireshark on my local system. SSH can be abused in all kinds of hilarious and useful ways. Can't you load the private key in Wireshark and still decrypt it on the fly? Genuine question, as I've only done it with recorded HTTPS myself.
|
|
#
?
Sep 3, 2017 17:07
|
|
|
Furism posted:Can't you load the private key in Wireshark and still decrypt it on the fly? Genuine question, as I've only done it with recorded HTTPS myself. That doesn't help with the streaming part, though.
|
|
#
?
Sep 3, 2017 17:23
|
|
|
Furism posted:Can't you load the private key in Wireshark and still decrypt it on the fly? Genuine question, as I've only done it with recorded HTTPS myself. Like Subjunctive said I'm not capturing the SSH traffic, I'm running tcpdump on a remote system and sending the output to stdout, which gets piped over SSH to Wireshark on my local system. This me to view roughly real-time traffic captures from what might be a 400MHz ARM box with 16MB RAM and no local storage on the other side of the country. You actually don't want to capture the SSH traffic in this case, if you do it becomes an exponential explosion as it captures its own traffic sending its own traffic back to me. It definitely happens accidentally from time to time if I botch capture filters. wolrah fucked around with this message at 17:36 on Sep 3, 2017 |
|
#
?
Sep 3, 2017 17:34
|
|
|
wolrah posted:Like Subjunctive said I'm not capturing the SSH traffic, I'm running tcpdump on a remote system and sending the output to stdout, which gets piped over SSH to Wireshark on my local system. This me to view roughly real-time traffic captures from what might be a 400MHz ARM box with 16MB RAM and no local storage on the other side of the country. Actually have some knowledge to help with this. There is a person in a security group in my area that is testing running bro on a raspberry pi and he is writing an article on his experiences. He is trying to find a good way to make sure he is getting all packets and not missing any on a network constantly using 2 video streams and 5 other connections. There is a Star Lan Tap by Michael Ossman which is a inexpensive piece of PCB with components to create a monitor port between two wires. You could Wireshark that but the lan tap is limited to 10/100 . You can get up to gigabit using a GS105Ev2 – ProSAFE Plus 5-port Switch which has mirror mode which just like a tap showing all communication while not sending anything out. It's like 40 or something.
|
|
#
?
Sep 3, 2017 17:49
|
|
|
Typically when I'm doing this I'm capturing for VoIP troubleshooting purposes. All of the routers we support run some form of *nix and have tcpdump present so my trick gets me the traffic I need directly from their router's interface. I was just providing an example of interesting SSH trickery.
|
|
#
?
Sep 3, 2017 18:30
|
|
|
Sending zfs bytestreams over ssh seems like a perfect piece of SSH trickery to me, if the boxes serve as backup for each other in case of catastrophic hardware failure, and both happen to run some form of ZFS.
|
|
#
?
Sep 3, 2017 20:27
|
|
|
|
| # ? May 12, 2024 13:44 |
|
|
D. Ebdrup posted:Sending zfs bytestreams over ssh seems like a perfect piece of SSH trickery to me, if the boxes serve as backup for each other in case of catastrophic hardware failure, and both happen to run some form of ZFS. It seems like something that would be more efficiently solved in another way, to me. One of those 'can we do things in a sane reliable engineered way, or come up with some wacky ssh solution?' situations. For one, if those boxes server as backups for each other(you mean clustered, right?) wouldn't you want them to have a shared backing datastore?
|
|
#
?
Sep 3, 2017 20:45
|
|