Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Niels Möller <nisse%lysator.liu.se@localhost> writes:

>In your use case, I take it the proxy should run on the same (embedded) host
>as the actual ssh server.

See my previous reply, there's no host in any conventional sense, it's just an
RTOS kernel that includes SSH as one of the compiled-in components.

However, the comments have helped to clarify the threat model and use cases.
In particular, there are two threat types:

1. The generic three-degree background radiation of non-targeted Internet
scanning and probing from off-path attackers.  Any pre-auth measure, for
example including a static non-public value in the client ID, will stop this.

2. More targeted attacks from on-path attackers, which require a challenge/
response to stop.

There are also several possible host types:

1. A conventional server, possibly behind a firewall.  Firewall rules and pre-
auth proxies, if available, can handle SSH access control.

2a. An embedded device that, for operational reasons or possibly just through
misconfiguration, needs to be exposed to the Internet.

2b. As above, but on a private network that's been penetrated by attackers who
are probing it for targets.  In other words the call is coming from inside the
house.

The pre-auth is targeting cases 2a and 2b.

If anyone has any more cases, feel free to add them.

Peter.