Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Fri, 6 Jan 2023 12:12:00 +0000

Damien Miller <djm%mindrot.org@localhost> writes:

>fwiw OpenSSH handles lines from the server before the SSH-banner just fine:

Ah, yeah, I saw OpenSSH as a server rather than client so never checked that
one, but I would have expected it to get this bit right :-).

>The SSH banner line is a bit special in that its contents are guaranteed to
>be bound into the key exchange hash,

Yup, that was a major reason for using it for that.  Way too many IETF
protocols in the past have ignored channel binding and either had to kludge it
in afterwards or just left that aspect vulnerable, so having the non-SSH
preauth cryptographically bound into the SSH protocol itself is a design
feature. 

Peter.

Follow-Ups:
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Damien Miller

References:
- An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Peter Gutmann
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Peter Gutmann
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Peter Gutmann
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Jeffrey Hutzelman
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Peter Gutmann
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Peter Gutmann
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Niels Möller
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Peter Gutmann
- Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
  - From: Damien Miller

Prev by Date: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Next by Date: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Previous by Thread: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Next by Thread: Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks
Indexes:

Home | Main Index | Thread Index | Old Index