IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Damien Miller <djm%mindrot.org@localhost> writes:
>fwiw OpenSSH handles lines from the server before the SSH-banner just fine:
Ah, yeah, I saw OpenSSH as a server rather than client so never checked that
one, but I would have expected it to get this bit right :-).
>The SSH banner line is a bit special in that its contents are guaranteed to
>be bound into the key exchange hash,
Yup, that was a major reason for using it for that. Way too many IETF
protocols in the past have ignored channel binding and either had to kludge it
in afterwards or just left that aspect vulnerable, so having the non-SSH
preauth cryptographically bound into the SSH protocol itself is a design
feature.
Peter.
Home |
Main Index |
Thread Index |
Old Index