auth Archives - Lewis Data Security

libssh vulnerability

An open source library, libssh, announced a fixed vulnerability today. I’ll let them explain:

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authenticate without any credentials.

Good thing we use openssh in my company! I don’t have to monitor a bunch of software systems for security fixes and deployment–

$ nc github-enterprise.server 22
SSH-2.0-libssh_0.7.0

Shit.

Hardening SSH With Configuration Changes

Hardening SSH can be a challenge, but it’s critical to get done.

hardening ssh - version

OpenSSH is the administrative tool of choice for any good Unix/Linux sysadmin, and every bad guy in the world knows it. There’s a lot of scanning constantly looking for low-hanging fruit like misconfigured SSH services.

Continue reading “Hardening SSH With Configuration Changes”

YubiKeys for half off

This really isn’t a deal site, per se, but I feel like it’d be a disservice not to mention that Yubikeys are half off for Amazon’s Prime Day. They are supported by KeePassXC as of last month, and picking up a YubiKey 4 for $20 is a steal if you have a use case for one.