Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Wed, 30 Nov 2022 12:35:51 -0500 (EST)

>> Server: "SSH-2.0-softwareversion-challenge"
>> Client: "SSH-2.0-softwareversion-response"

> At first glance, this looked interesting, but now I'm not so sure.

> My most obvious use case is exposing the SSH port of a machine in my
> home, so that I can SSH back to my own computer when I'm out and
> about, without also opening up the whole surface of that SSH server
> for the Internet to hammer on [...]

> But then I thought: hang on, I don't really want to have to configure
> all my SSH clients _inside_ my house to know the shared secret for
> that server, do I?

No, but nothing says the server has to demand a correct response from
clients inside your house LAN.

But you make a good point.  Making it an external proxy loses you a
little bit, in that it means the ssh server doesn't see the actual peer
IP, and it requires an extra process at each end of the connection
(increasing latency and CPU load).  The former matters to me, but I am
probably an outlier in that respect (and see also below); the
latter...I'd have to think and/or test to determine whether that
matters to me, but, again, I am probably an outlier.  And they may be
fixable; see below.

But it gains you a tool that can be used for anything that runs over
just one TCP connection and doesn't care about the above potential
issues, a tool with a very small exposed attack surface.

> So I'm not really sure what's _gained_ by incorporating it into SSH
> proper.  To my way of thinking, all that does is remove the
> flexibility to deploy it conditionally.

It also removes the ability of the ssh server to report the peer IP in
its log entries.  That matters to me.  I'll have to think about whether
it would still matter to me with something like this deployed in front
of my ssh servers, and whether the costs of the additional process(es)
matter to me.

Actually, with a little hackery, I could work around all of the above
on the server side.  The client side would be more difficult.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Simon Tatham

Prev by Date: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Next by Date: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Previous by Thread: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Next by Thread: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Indexes:

Home | Main Index | Thread Index | Old Index