On Wed, Jul 03, 2024 at 07:18:33PM +0000, Manon Goo <manon.goo@xxxxxxxx> wrote: > Dear OpenSSH developers, > > Thanks a lot for your work on OpenSSH. We use it a lot and it is very > helpful for our daily work. Would it be possible to have a lockdown > option as a workaround in case of a remotely exploitable problem in > ssh. This may help react to compromised keys/passwords, configuration > issues, software bugs or other problems for example when Debian broke > ssh . > > [...] > Kind Regards, > Manon Something that might help you is my sshdo program (github.com/raforg/sshdo). It mitigates private key compromise but only for cases where ssh is used to remotely execute an arbitrary fixed set of commands (e.g. scripted tasks or cronjobs). It doesn't help for interactive ssh use. It gets used as a forced command and it can automatically learn what commands are needed and then only allow those commands. It can also unlearn commands that are no longer in use. It's very easy to use and prevents ssh being used for any command that has not previously been allowed. cheers, raf _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
