If you forget to review /etc/ssh/sshd_config, you get this in journalctl if you have specified your own MACs for instance when hardening according to [WayBack including rimemd160] Secure Secure Shell:
+Jeroen Wiert Pluimers OK. Let’s look a bit at how this works. There are several competing standards/ways to use a security token. Typically you’ll decide between the two most used ones. As a CCID device AKA SmartCard with OpenSC or using gpg-agent. And that’s an either/or question. Some of the security tokens can only work with gpg-agent, some can do both (but not at the same time) and some are only useful as CCID style (e.g. the Nitrokey HSM).
OK. So now we look at platforms. CCID using OpenSC mostly works everywhere, but you might need to install some additional software depending on your OS. Older versions of MacOS X were notoriously bad, since (High) Sierra it has become better.
On Linux it again really depends. The gnome-keyring-agent that is active in a Gnome session really messes everything up, so better deactivate that. Which is not really trivial. But you have to have a socket for ssh-agent to pick up the key, so some stuff goes to your .bash.rc and you have to make some changes to Gnome config.
If you want to use a Yubikey for 2FA, note that it cannot do TOTP (Time based One Time Password) which Amazon wants for AWS auth. So you need another helper app on your computer.
I wish I had bumped into this when it got released in 2015: [WayBack] badssl.com hosted in the cloud and maintained by two people from Google and Mozilla.
Where ssllabs.com is for checking server-side certificates, this one is for checking clients against many, many (did I already write MANY?) server side configurations both good (with a varying set of security settings like cyphers and key exchanges) and bad.
One of the bad ones is expired.badssl.com which your clients should not be able to connect to without throwing a big error.
badssl.com is meant for manual testing of security UI in web clients.
Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)
badssl.com is not an official Google product. It is offered “AS-IS” and without any warranties.
As of 20170711, the servername ftp.xs4all.nl does not support the ftp protocol any more; xs4all clients can only use the server sftp.xs4all.nl on port 22.
I missed that because I hardly use ftp except for the few rare occasions where I was in an environment without ftp.
So recently I found out: good move!
Since I still need this every now and then (but far less often than 10 years ago), I have set up a very small ftp server at home with limited storage and very limited users that I can turn on/off when needed.
If you ever ssh into something and immediately get the immediate Too many authentication failures message, then you’ve probably mixed your authentication methods.
Video via +Kristian Köhntopp “Die 90er haben angerufen und wollen ihre Amiga Videos und ihre Corba Specs zurück haben.” (the 90s called wanting their Amiga Videos and Corba Specs back)
The Wiert Corner - irregular stream of stuff 