ssh – Noise

Post-quantum security for SSH access on GitHub

brian m. carlson — Mon, 15 Sep 2025 16:00:00 +0000

GitHub is introducing post-quantum secure key exchange methods for SSH access to better protect Git data in transit.

The post Post-quantum security for SSH access on GitHub appeared first on The GitHub Blog.

Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH

Ethan Heilman — Tue, 25 Mar 2025 13:00:00 +0000

OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project.

Introducing Access for Infrastructure: SSH

Sharon Goldberg — Wed, 23 Oct 2024 13:00:00 +0000

Access for Infrastructure, BastionZero’s integration into Cloudflare One, will enable organizations to apply Zero Trust controls to their servers, databases, Kubernetes clusters, and more. Today we’re announcing short-lived SSH access as the first available feature of this integration.

New Open SSH Vulnerability

Bruce Schneier — Wed, 03 Jul 2024 15:27:11 +0000

It’s a serious one:

The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.

[…]

This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization...

Backdoor in XZ Utils That Almost Happened

Bruce Schneier — Thu, 11 Apr 2024 11:01:51 +0000

Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it...

XZ Utils Backdoor

Bruce Schneier — Tue, 02 Apr 2024 18:50:50 +0000

The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica:

Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it’s not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware...

New SSH Vulnerability

Bruce Schneier — Wed, 15 Nov 2023 17:51:52 +0000

This is interesting:

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

[…]

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host...

Introducing SSH command logging

Ankur Aggarwal — Fri, 18 Mar 2022 13:00:36 +0000

We built SSH command logging into Cloudflare Zero Trust to provide SSH visibility at a network layer instead of relying on software on individual machines

Security keys are now supported for SSH Git operations

Kevin Jones — Mon, 10 May 2021 17:20:08 +0000

GitHub has been at the forefront of security key adoption for many years. We were an early adopter of Universal 2nd Factor (“U2F”) and were also one of the first sites to transition to Webauthn.

SSHfix.sh – the small tool I use to enable SSH public/private key login

Anonymous — Thu, 30 Nov 2017 08:54:00 +0000

I am just dropping that here. This is sshfix.sh - a small tool I use to enable SSH login to a remote host. I use it the same way I use ssh: ./sshfix.sh delian@remote-host The code: #!/bin/sh [ -f ~/.ssh/id_rsa.pub ] || ssh-keygen -t rsa -b 2048; ss...