How to accept only user identity keys of type ed25519 on OpenSSH Linux server?

I want to force all users to use only ed25519 type keys when logging in via SSH / SFTP to a Linux server which is running a recent version* of OpenSSH.

The reasons include:

In many cases, SSH keys have been completely overlooked in identity and access management planning, implementation, and audits. Users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors.

Information security starts from controlling who is given access to systems and data. If there is no control over access, there is no security, no confidentiality, no integrity, and no guarantees of continued operation

Source: https://www.ssh.com/iam/ssh-key-management/

However, I do not wish to remove the ability for a user to manage their own SSH keys (including adding, removing, changing the keys). My only objective is to mandate that the key used is of type ed25519.

How can this be accomplished while maintaining the above user privileges and while maintaining this setting?

AuthorizedKeysFile  .ssh/authorized_keys 

The main (non-default) sshd_config settings I’m using on this server include:

The only host key enabled: HostKey /etc/ssh/ssh_host_ed25519_key  PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes AuthorizedKeysFile  .ssh/authorized_keys KexAlgorithms curve25519-sha256@libssh.org MACs hmac-sha2-512-etm@openssh.com Ciphers chacha20-poly1305@openssh.com AllowUsers user@host ... 

However, with those settings a user can still select an older user identity key type and use it to log in. My only objective now is to stop a user from getting access except via an ed25519 user identity key. How?

*Actually running: OpenSSH_8.1p1, OpenSSL 1.1.1d

Could you anonymously upload a file on the internet if the threat model was the entire world trying to find your identity after you do so?

Thought experiment: You need to upload a file, and the threat model is the entire world trying to find out who you are after you do so.

I know this is absurd, but bear with me, it’s a thought experiment that I thought would be fun to have, where the scenario is the following:

You are a normal citizen, and you have a file (assume that you just have it, and the file doesn’t have metadata or information related to you) that is somehow so compromising that, if uploaded on the internet, the entire world would actively try to find out who you are. Everyone, military, every country’s agencies, civilians, that grandma going to the grocery store, yes, her too, to the best of her ability. People who run TOR relays too, everyone.

Your mission is to upload it on the internet without your identity being revealed. How would you go about it?

Update: File is in your pendrive, has a size of few MB, it’s ok if it just shows up eventually. No-one should really guess what country you might live in. We can think of the user as average-citizen, with average knowledge of technology, but can follow instructions (for example, setting up Tails). Assume that who had access to this information was not relevant, because no-one had access to this data before. We can invent an unrealistic scenario for this, for example, you have material that prove the existence of aliens or something.

Powershell: Is there a way to extract the Identity from a WSP file?

I want to automatically add and install some wsp files. To check if the file is already installed I (think I) need the identity of the solution that I am about to deploy. How can I extract the Identity of the solution out of the WSP file?

foreach ($  wspFIL in $  solutionsARY) {     $  fileNameSTR = $  filesDIR + $  wspFIL     $  identitySTR = getIdentityFromWsp fileNameSTR#... this is what I need      Add-SPSolution -LiteralPath  $  fileNameSTR     Install-SPSolution -Identity  $  identitySTR } 

Identity confirmation using PIN to decrypt previously issued token

I am building an app (for web and mobile) that requires a user pass two stages of authentication/authorisation in order to access a server-side API and subsequently use the app. First, they must supply valid credentials (username/password). Second, they must meet a series of variable criteria, for example the current time being within a defined range.

I am planning to implement this through the use of two tokens:

  • A long-term, randomly generated, opaque session token
  • A short-lived JWT authorisation token, with self-contained user and expiry data

On the client side, the presence of the session token would allow the user to skip re-entering their (hopefully long and complex) username/password. On the server side, a valid session token would be required to issue an authorisation token, and a valid authorisation token would be required to access the API.

While the goal of the session token is to simplify access (particularly on mobile devices) by removing the need to enter full username/password, I would prefer the user still re-confirm their identity before a new authorisation token is issued. A shorter numeric PIN (or potentially a fingerprint/face scan on supported devices) could allow this.

However, storing such a PIN along with the user’s other data on the server would require full management facilities, as with their password (“I forgot my PIN”). To avoid this overhead, I am thinking about the following approach.

On initial login (no known session token):

  • Ask for and submit username, password, and PIN.
  • If username/password are valid, generate the session token.
  • Encrypt the session token under a key derived from a server-known secret plus the submitted PIN.
  • Return the encrypted session token to the client.

On subsequent login (known session token):

  • Ask for PIN.
  • Submit PIN and encrypted session token.
  • Decrypt the session token, using the submitted PIN, and compare the result to that stored on the server.
  • If the decrypted session token matches a valid session, the user has confirmed their identity and an authorisation token can be issued.

In my mind, this allows a simple “identity confirmation” step with little overhead. The user can reset their PIN at any time simply by fully logging out and logging back in again, choosing a new PIN. And while the PIN is short and simple, it is combined with a server-known secret in order to derive the encryption key, so an offline brute-force of the encrypted session token should be extremely difficult. And server-side use of a slow key derivation function, rate limiting, and lockouts on failed attempts should mitigate online attacks on the PIN.

So my question is: is my thinking correct? Is this a secure way to achieve my goal?

SharePoint web application not using the good Trusted Identity Token Issuer

We have a SharePoint 2016 farm and 2 web applications. We have configured SSO through ADFS and created one SPTrustedIdentityTokenIssuer for one web app. Now, we want to have a second SPTrustedIdentityTokenIssuer for the second web app. We made the same configuration, changed the realm, added a new certificate, etc …

The issue is : – When we connect to a site on the second web app, it automatically sends the realm of the first identity token issuer, and we face this issue :

enter image description here

Now, if we change the default sign-in page on the web app, like this

enter image description here

We then are able to select between “Windows Authentication” and our second trusted identity token issuer. If we select it, the good realm is sent to ADFS and we can connect to the site.

Any idea about what’s going wrong ?

We could provide any additional information.

Thanks.

Identity Client Runtime Library (IDCRL) encountered an error while talking to the partner STS

I Installed the latest SharePoint Online Client Components SDK (http://www.microsoft.com/en-us/download/details.aspx?id=42038).

I created a web form application and referring the Microsoft.SharePoint.Client.dll and Microsoft.SharePoint.Client.Runtime.dll.

When i try to access sharepoint list sometimes it can works, but sometimes return me the error below: Identity Client Runtime Library (IDCRL) encountered an error while talking to the partner STS.

Does anyone know how to resolve the problem, thanks.