Thema: SSH/SSL/VPN Tools...

[SiLæncer]

Changelog

Security bugfixes:

Fixed requesting client certificate when specified as a global option.

New features:

Certificate subject checks modified to accept certificates if at least one of the specified checks matches.

[close]

https://www.stunnel.org/index.html

[SiLæncer]

Changelog

ADD: Automatic saving of host key option
ADD: Powershell initialized from the Local Shell now includes tab auto-completion
ADD: Shortcut keys and Quick commands can be used during authentication
ADD: User data folder path can now be changed directly from within UI
ADD: Users have the option to delete previous data after data folder path has been changed
MOD: Option to prevent accidental hyperlink clicks (Mouse Click + Ctrl)
MOD: Terminal speed improvement when using the terminal highlight feature (Option)
FIX: Auto completion for SFTP sessions not functioning
FIX: Blue screen when closing Xshell
FIX: Crash when using an incorrect type of WaitForStrings
FIX: ESC key unable to initialize multiple lines of the command prompt
FIX: Edits made to the Quick Command pane of one window not applied to another
FIX: Exit button not functioning in a tabless window
FIX: Focus issue when selecting multiple sessions in the Session Manager
FIX: Hidden scrollbar appears in Full screen mode
FIX: Local shell unable to handle paths with spaces
FIX: Mouse scrolling functioning abnormally in newer Vim mouse modes
FIX: Not visible tabs able to obtain focus in Full Screen Mode
FIX: Password authentication not cycling to other auth types when using terminal based authentication
FIX: Shift+Home key not functioning in the Compose Pane
FIX: Tab limitation option remains checked when free licenses are migrated to a paid license
FIX: Terminal characters displaying incorrectly after returning from the Local Shell
FIX: Terminal print resource cleanup
FIX: Unable to designate Baud Rate when editing multiple sessions
FIX: Unable to handle URLs with '+' characters when executing from the command line
FIX: Unintended hyperlink handling
FIX: WaitForStrings not functioning with Unicode characters

[close]

http://www.netsarang.com/products/xsh_overview.html

[SiLæncer]

Changelog

ADD: Return value of xsh.Dialog.Prompt when Cancel is pressed (More...)
FIX: Certain menus opening incorrect Help pages
FIX: Crash after running Xshell after a Windows 10 update
FIX: Log and temp folders not changing after user changes user data folder
FIX: Mistakenly able to open folder properties from the Session Manager
FIX: Shift + direction keys in the Compose Pane incorrectly applied to the terminal
FIX: The heigh of the Compose Pane and Quick Command Pane changes automatically
FIX: When editing multiple sessions with different Ignore Bell settings, the changes are not saved
FIX: xsh.Screen.Send function related to certain language strings not functioning
FIX: Resource cleanup

[close]

http://www.netsarang.com/products/xsh_overview.html

[SiLæncer]

WinSSHTerm helps you to be more productive. Using keyboard shortcuts and intelligent navigation tools allows you to quickly switch between or start new SSH sessions even if you have to manage many systems. It has built-in support for copying files and running X applications. The terminal colors are carefully selected to minimize the stress for your eyes. WinSSHTerm is easy to use, lightweight and stable.

Freeware

Whats new:>>

Bug fix: By default, if both password and private key were configured for a connection, the password would be treated as the private key's passphrase when starting WinSCP with Copy Files.
Added an option to use the password as passphrase for WinSCP under File->Preferences->Copy Files (which was the default behaviour in versions < 2.2.7)

http://winsshterm.blogspot.com/

[SiLæncer]

Whats new:>>

Improved find feature in the connection window
Added a button to trigger "Copy Files" in the search window

http://winsshterm.blogspot.com/

[SiLæncer]

Connect to various devices or servers in your network by turning to this lightweight software solution that lets you manage several sessions.

Freeware

https://www.solarwinds.com/free-tools/solar-putty

[SiLæncer]

Whats new:>>

Bug fix: Find feature in the connection window now correctly finds all matching results
Connections in menu bar: added menu item "Refresh" for better performance (the refresh action was previously done every time the menu item "Cons" was clicked)
Search window: minor improvements

http://winsshterm.blogspot.com/

[SiLæncer]

Changelog

Bitvise SSH Server, SSH Client, and FlowSsh previously did not implement strict size limits or sanitization of content before displaying or logging strings received from a remote party. Much stricter size limits and sanitization are now implemented.

Bitvise SSH Server, SSH Client, and FlowSsh now report the size of the Diffie Hellman group actually used in DH key exchange. This is useful with key exchange methods that use DH group exchange, where there was previously no straightforward way to know what size group was used.

Importing an empty public key file would cause the SSH Client's Host key manager to hang indefinitely. Fixed.

When loading an SSH Client profile, the SSH Client's Remote Desktop tab failed to update the Remote Desktop width and/or height if the new value was 0 (the default value). Fixed.

[close]

www.bitvise.com

[SiLæncer]

Changelog

 Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]

  *) Client DoS due to large DH parameter

     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
     malicious server can send a very large prime value to the client. This will
     cause the client to spend an unreasonably long period of time generating a
     key for this prime resulting in a hang until the client has finished. This
     could be exploited in a Denial Of Service attack.

     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
     (CVE-2018-0732)
     [Guido Vranken]

  *) Cache timing vulnerability in RSA Key Generation

     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
     a cache timing side channel attack. An attacker with sufficient access to
     mount cache timing attacks during the RSA key generation process could
     recover the private key.

     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
     (CVE-2018-0737)
     [Billy Brumley]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

  *) Fixed a text canonicalisation bug in CMS

     Where a CMS detached signature is used with text content the text goes
     through a canonicalisation process first prior to signing or verifying a
     signature. This process strips trailing space at the end of lines, converts
     line terminators to CRLF and removes additional trailing line terminators
     at the end of a file. A bug in the canonicalisation process meant that
     some characters, such as form-feed, were incorrectly treated as whitespace
     and removed. This is contrary to the specification (RFC5485). This fix
     could mean that detached text data signed with an earlier version of
     OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
     signed with a fixed OpenSSL may fail to verify with an earlier version of
     OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
     and use the "-binary" flag (for the "cms" command line application) or set
     the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
     [Matt Caswell]

[close]

http://www.openssl.org/

[SiLæncer]

Verschiedene Software und Geräte mit OpenSSH sind verwundbar. Die Schwachstelle gilt aber nicht als kritisch.

In dem 1999 erschienen Fernzugriffs- und Dateiübertragungstool OpenSSH klafft seit Anbeginn eine Sicherheitslücke (CVE-2018-15473), die Sicherheitsforscher von Qualys nun entdeckt haben. Mittlerweile haben die Entwickler die Schwachstelle in den Versionen 1:6.7p1-1, 1:7.7p1-1 und 1:7.7p1-4 geschlossen, berichtet Qualys in einer Mailingliste.

OpenSSH ist weit verbreitet und kommt auf beispielsweise unzähligen Hosting-Servern und IoT-Geräten zum Einsatz. Flächendeckende Updates sind utopisch. Glücklicherweise gilt die Lücke nicht als kritisch. Verschiedener Proof-of-Concept-Code ist bereits im Umlauf. Ist eine Update-Installation nicht möglich, kann man alternativ die Public-Key-Authentication-Methode abschalten.

Auswirkungen

Durch das Ausnutzen der Lücke kann ein Angreifer aus der Ferne gültige Nutzernamen erraten. Dafür muss er lediglich präparierte Pakete an die verwundbare Public-Key-Authentication-Methode schicken. Existiert ein abgefragter Nutzer nicht, erhält der Angreifer eine Fehlermeldung. Gibt es den Account, schließt ein anfälliger OpenSSH-Server die Verbindung.

Mit gültigen Nutzernamen ausgerüstet könnte ein Angreifer versuchen, Passwörter via Brute-Force-Attacken zu erraten, um sich so Zugang zu verschaffen.

Quelle : www.heise.de

[SiLæncer]

Changelog

OpenSSH 7.8 was released on 2018-08-24. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh-keygen(1): write OpenSSH format private keys by default
   instead of using OpenSSL's PEM format. The OpenSSH format,
   supported in OpenSSH releases since 2014 and described in the
   PROTOCOL.key file in the source distribution, offers substantially
   better protection against offline password guessing and supports
   key comments in private keys. If necessary, it is possible to write
   old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
   when generating or updating a key.

 * sshd(8): remove internal support for S/Key multiple factor
   authentication. S/Key may still be used via PAM or BSD auth.

 * ssh(1): remove vestigal support for running ssh(1) as setuid. This
   used to be required for hostbased authentication and the (long
   gone) rhosts-style authentication, but has not been necessary for
   a long time. Attempting to execute ssh as a setuid binary, or with
   uid != effective uid will now yield a fatal error at runtime.

 * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar
   HostbasedAcceptedKeyTypes options have changed. These now specify
   signature algorithms that are accepted for their respective
   authentication mechanism, where previously they specified accepted
   key types. This distinction matters when using the RSA/SHA2
   signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their
   certificate counterparts. Configurations that override these
   options but omit these algorithm names may cause unexpected
   authentication failures (no action is required for configurations
   that accept the default for these options).

 * sshd(8): the precedence of session environment variables has
   changed. ~/.ssh/environment and environment="..." options in
   authorized_keys files can no longer override SSH_* variables set
   implicitly by sshd.

 * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed.
   They will now use DSCP AF21 for interactive traffic and CS1 for
   bulk.  For a detailed rationale, please see the commit message:
   https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284

[close]

https://www.openssh.com

[SiLæncer]

mRemoteNG is a fork of mRemote: an open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.

It allows you to view all of your remote connections in a simple yet powerful tabbed interface.

mRemoteNG supports the following protocols:

    RDP (Remote Desktop/Terminal Server)
    VNC (Virtual Network Computing)
    ICA (Citrix Independent Computing Architecture)
    SSH (Secure Shell)
    Telnet (TELecommunication NETwork)
    HTTP/HTTPS (Hypertext Transfer Protocol)
    rlogin (Remote Login)
    Raw Socket Connections

License: GPLv2

Changelog

Fixes:

#1088: Delete and Launch buttons are not disabled when last external tool deleted
#1087: 'Save connections after every edit' setting not honored
#1082: Connections not given GUID if Id is empty in connection xml

[close]

https://mremoteng.org/

[SiLæncer]

Changelog

New features:

Performance optimizations.
Logging of negotiated or resumed TLS session IDs (thx to ANSSI - National Cybersecurity Agency of France).
Merged Debian 10-enabled.patch and 11-killproc.patch (thx to Peter Pentchev).
OpenSSL DLLs updated to version 1.0.2p.
PKCS#11 engine DLL updated to version 0.4.9.

Bugfixes:

Fixed a crash in the session persistence implementation.
Fixed syslog identifier after configuration file reload.
Fixed non-interactive "make check" invocations.
Fixed reloading syslog configuration.
stunnel.pem created with SHA-256 instead of SHA-1.
SHA-256 "make check" certificates.

[close]

https://www.stunnel.org/index.html

[SiLæncer]

SSLCertStoreViewer is the free Tool to view all the installed SSL certificates from your local system store.

Currently it can automatically scan and display Certificates from following type of stores,

    CA Certificate Store
    Private Certificate Store
    Root Certificate Store
    Software Publisher Certificate Store


For each discovered SSL certificate it displays following information

    Certificate Store
    Certificate Subject Name
    Certificate Issuer Name
    Issue Date
    Expiry Date

It also checks if any of the certificate is expired. If so then it will be displayed in RED color.

Freeware

Whats new:>>

Major 2018 version with improved SSL Certificate store features

https://securityxploded.com/ssl-certificate-store-viewer.php

[SiLæncer]

   SSL Cert Downloader is a free command-line tool to grab SSL certificate from server remotely.

It can be used to download certificate from any of the SSL enabled services including

    HTTPS (443)
    LDAPS (636)
    SMTPS (465)
    POPS (995)
    IMAPS (993)

You can either specify IP address or host name of the server. Also you can enter any custom port which makes it useful when SSL service is running on non-standard port.

Once the certificate is downloaded from the server it will be saved to the specified file. Later you can just double click on the saved file to view the SSL certificate.

It is very easy to use and being a command-line tool makes it easy for automation through scripting.

It is fully portable and works on all platforms starting from Windows XP to Windows 10 version.

Whats new:>>

Major 2018 release with improved & faster SSL Certificate downloading features

https://securityxploded.com/ssl-certificate-downloader.php