Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Niels Möller <nisse%lysator.liu.se@localhost> writes:

>I think you mentioned the possibility of instead adding magic lines prior to
>the SSH-line, a line "Preauth-SSH: whatever". Is there some reason that can't
>work?

An informal test of a few client-mode implementations found exactly one that
handled this correctly (hat tip to PuTTY), others wouldn't connect or ran into
crypto failures like incorrect keys, the latter presumably because they hashed
in the additional text lines or something.  So this seems very brittle,
alongside abusing what's mostly a historical artefact from ~25 years ago.  I
wasn't even 100% sure whether my own code handled it until I went and looked.

>Cooperating on using the comment string seems more brittle.

My thinking is that since it's the first time in ~25 years this has come up,
it's not likely to be a crowded market, and since the value is tagged if
someone does want to further add stuff they can just define their own tag.

As a general question, does anyone here use the comment capability?  Has
anyone ever seen the comment capability used by anything else?

Peter.