Freexian’s July 2025 Debian contributions report highlights our active role in Debian, from sponsoring and participating in DebConf 25 to contributing talks, infrastructure work, and community planning.

Full details: https://www.freexian.com/blog/debian-contributions-07-2025/

Post-Quantum Cryptography Advice Added to OpenSSH Website https://www.undeadly.org/cgi?action=article;sid=20250811110058 #openbsd #openssh #ssh #cryptography #postquantum #postq #crypto #security #libresoftware #freesoftware #bsd

Wth, after the latest #OpenSSH update the daemon only listens on IPv6 addresses? Is that just me? Lol #Linux

lsof -i -n -P | grep sshd
sshd 63245 root 3u IPv6 4882 0t0 TCP *:22 (LISTEN)

Recent new features in OpenSSH https://www.undeadly.org/cgi?action=article;sid=20250802084523 #openbsd #openssh #ssh #newfeatures #development #security #freesoftware #libresoftware #crypto #cryptography

Heads up, upcoming changes to the IPQoS default and config keywords in #OpenSSH ssh(1)/sshd(8) have landed in #OpenBSD -current.

job@ modified src/usr.bin/ssh/*: Set default IPQoS for interactive sessions to Expedited Forwarding (EF)

Marking interactive session data with DSCP value EF (RFC3246, RFC3247) helps inform the network on relative priority compared to other traffic.
This is especially useful for differentiated treatment over wireless media.

Following the reconciled IETF Diffserv to IEEE 802.11 mappings (RFC 8325), traffic marked with DSCP value EF maps to User Priority 6 in QoS Control, in turn mapping to the high priority WMM AC_VO access category.

OK djm@

job@ modified src/usr.bin/ssh/*: Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords

Type of Service (ToS) was deprecated in the late nineties and replaced with the Differentiated Services architecture. Diffserv has significant advantages for operators because this mechanism offers more granularity.

OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.

IPQoS configurations with 'lowdelay', 'reliability', or 'throughput' will be ignored and instead the system default QoS settings apply.
Additionally, a debug message is logged about the deprecation with a suggestion to use DSCP.

with/OK deraadt@ sthen@ djm@

I see TUI and Rust in the same sentence. I install.

**ssh-list** — SSH connection manager in your terminal.

Supports adding, editing, sorting connections with custom SSH options.

Written in Rust & built with @ratatui_rs

GitHub: https://github.com/akinoiro/ssh-list

Bonjour Bignole ! https://www.journalduhacker.net/s/1cbuvq/bonjour_bignole https://fiat-tux.fr/2025/07/16/bonjour-bignole/ #application #openssh

Tired of SSH keys living forever on your servers?

I wrote up a quick, practical guide on how to use OpenSSH Signing CA to create SSH keys that expire.

Perfect for homelabs, enterprise ops, and anyone who cares about tightening Linux access controls. Short-lived certificates Simplifies SSH key management Reduces risks from lost/stolen devices

Read here https://richard-sebos.github.io/sebostechnology/posts/OpenSSH-Cert-SSH-Keys/

When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.

The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.

Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?

#infosec #bastion #jumphost
#ssh #sshd #OpenSSH

I'm betting the answer here is "this isn't possible" but if anyone knows how to tell OpenSSH that when it's enumerating pubkeys it should check which of the two known authentication dongles is actually plugged into the computer, and only prompt me to unlock the SK key that belongs to that dongle, not both of them, please tell me how.

OpenSSH Config Tags How To

https://mrod.space/2023/09/04/using-tags-in-ssh-config

To be honest I did not know tags existed in #OpenSSH

TIL: According to the ssh_config man page, comments in ~/.ssh/config need to be on their own line. In other words,

Host foo # my awesome host

is not a valid comment.

The ssh command seems pretty relaxed about this, but other tools (e.g. Paramiko) are not necessarily.

https://github.com/paramiko/paramiko/issues/2111

Multiplexing will boost your SSH connectivity or speed by reusing existing TCP connections to a remote host. Here are commands that you can use to control multiplexing when using OpenSSH server or client on your Linux, macOS, FreeBSD or Unix-like systems. Not sure what SSH multiplexing is? Learn how to set it up and use it to speed up your SSH sessions with our handy guide: https://www.cyberciti.biz/faq/ssh-multiplexing-control-command-to-check-forward-list-cancel-stop-connections/

An unimportant remnant of the past has been removed from open SSH;
DSA.

Read about it in this article the next article linked will show you that it has been removed finally

#SSH #openSSH #DSA #programming #coding #OpenSource #openBSD #BSD #secureShell #Infosec

https://undeadly.org/cgi?action=article;sid=20240111105900

DSA signature support removed from OpenSSH https://www.undeadly.org/cgi?action=article;sid=20250507010932 #openbsd #openssh #ssh #dsa #dsaremoval #deadkeys #signature #deadciphers #security #networking #cryptography #crypto

Call for testing: Last bits of DSA to be removed from OpenSSH https://www.undeadly.org/cgi?action=article;sid=20250506054255 #openbsd #openssh #ssh #dsa #dsaremoval #crypto #cryptography #ciphers #security #networking #development #freesoftware #libresoftware

ssh: listener sockets relocated from /tmp to ~/.ssh/agent https://www.undeadly.org/cgi?action=article;sid=20250506044643 #openbsd #ssh #openssh #security #unveil #sshagent #snoopresistant #freesoftware #libresoftware