IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks



> Actually I've just checked the RFC since I wasn't sure the client
> could send additional lines and while it doesn't say it can't, it
> also doesn't say it can, only the server is mentioned:

>    The server MAY send other lines of data before sending the version
>    string.

Yes.  moussh's manpage includes

.It Fl pre-banner Ar string
This allows configuring
.Nm
to send text before the protocol banner.  (This is unequivocally
permitted for the server, but the standards are silent on whether the
client is permitted to do likewise. The consensus seems to be that it
either is or should be permitted.)

> [...] now I'm tempted to see what happens if I respond to connect
> attempts on port 22 with:

> 220 $servername ESMTP Chuckmail bent over and ready
> +OK POP3 server ready <abcd@$servername>
> OK IMAP/POP3 ready $servername
> 220 FTP Server $servername ready
> SSH-2.0-$server-$version

Should be amusing, if nothing else!

> Anyone ever tried this?

Not me.  I don't think I've ever used pre-banner text except when
testing to make sure the facility works.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



Home | Main Index | Thread Index | Old Index