Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks

[nisse%lysator.liu.se@localhost (Niels Möller)]

Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost> writes:

>    It does this by adding a random challenge
>    in the Comment field of the server's SSH ID, with the client
>    responding with the response in the comment field of its SSH ID.  The
>    server challenge in the comment field is denoted with 'C=<challenge>'
>    and the client response with 'R=<response>'.  These MUST be the first
>    values in the Comment field, with any further entries that follow
>    separated by either a comma or a space.

I think you mentioned the possibility of instead adding magic lines
prior to the SSH- line, a line "Preauth-SSH: whatever". Is there some
reason that can't work?

I think that would make it possible to implement as a wrapper/proxy
thing where that makes sense, since it's less tied to the parsing that
is part of the SSH protocol. In particular, it seems desirable if you
could implement the client side of this mechanism using plain openssh
and "-o ProxyCommand=...", without touching the client's actual ssh
protocol implementation.

It would also make it a bit more extensible, since any other hack at
this place can define its own magic line, just using a different
(hopefully unique) prefix. Cooperating on using the comment string seems
more brittle.

Regards,
/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.