Re: An additional-auth mechanism for SSH to protect against scanning/probing attacks

[Damien Miller <djm%mindrot.org@localhost>]

On Fri, 6 Jan 2023, Peter Gutmann wrote:

> Damien Miller <djm%mindrot.org@localhost> writes:
> 
> >fwiw OpenSSH handles lines from the server before the SSH-banner just fine:
> 
> Ah, yeah, I saw OpenSSH as a server rather than client so never checked that
> one, but I would have expected it to get this bit right :-).
> 
> >The SSH banner line is a bit special in that its contents are guaranteed to
> >be bound into the key exchange hash,
> 
> Yup, that was a major reason for using it for that.  Way too many IETF
> protocols in the past have ignored channel binding and either had to kludge it
> in afterwards or just left that aspect vulnerable, so having the non-SSH
> preauth cryptographically bound into the SSH protocol itself is a design
> feature. 

But why? This is by definition before key exchange. The draft says:

> It should stop attackers at the gate, preventing probing past the first
> message exchanged.

This is before key exchange even beings, let alone yields an exchange hash
that is verified or taken in to use.

I don't see any reason why it can't use the already-specified pre-banner
messages.

-d