On 26/05/15 15.50, Daniel Kahn Gillmor wrote: > The argument that the DNS lookup leaks this metadata is a bad argument: > if we followed this line of reasoning, then every problem that has > multiple contributors could never be solved (A says "but my fixing > things is useless if B does nothing", while B says "but my fixing things > is useless if A does nothing" -- a classic collective action problem). That sort of excuse certainly exists out there. In fact that's the only reason anybody is still using IPv4. If people had put just a little bit more effort into long term solutions, we would all have been running IPv6 years ago. And in that case, we wouldn't be having this discussion, because there would be enough IP addresses that SNI would never have been invented. This leads me to my next question. Would it be sensible to modify my patch to make it configurable with three options for when to send the hostname? The three options I would have in mind are: always, only on IPv4, and never. > > In practice, there is work done today to protect DNS queries as well > (see the DNS Privacy working group in the IETF, the latest versions of > libunbound and the getdns API, etc). I haven't seen any of the work done in those areas. But considering how little traction DNSSEC has, I would imagine that DNS privacy initiatives would take decades to get any traction. If you have any pointers, I am very curious as to exactly how they intend to do get any privacy into the DNS protocol. > > I think the ProxyCommand Kasper ended up describing (checking for v6 > connectivity or using a constrained HTTP CONNECT proxy) is a acceptable > way to go for people in the particular scenario he's concerned about. But it does not address all my requirements. I have a requirement that the hostname being used must be visible to the administrator of the SSH server. And it must be visible with minimal effort without requiring any software changes on the server. Sending the hostname in clear from proxy to server would address that concern. But there are not many opportunities for a proxy to inject data into the data stream from client to server without breaking integrity checks on the packets. Assuming I could find a way to embed that information inside the stream from proxy to server, then there is nothing stopping me from embeding the information inside the connection from client to proxy as well. And it would certainly be desirable for me if the proxy did not have to modify the data in transit at all. So if I could write a ProxyCommand which would embed the hostname into the stream from client to proxy, then the proxy could simply pick out the hostname and pass the traffic unmodified to the server. I carefully read the relevant RFCs in order to figure out which information is covered by integrity checks and which is not. I found a method which would work according to the RFC, but it turns out OpenSSH doesn't behave as specified by the RFC. One thing I found was RFC 4253 saying: An implementation MUST respond to all unrecognized messages with an SSH_MSG_UNIMPLEMENTED message in the order in which the messages were received. Such messages MUST be otherwise ignored. Later protocol versions may define other meanings for these message types. However what I found OpenSSH to be doing was for every unrecognized message it would either ignore it and not send an SSH_MSG_UNIMPLEMENTED, or send an error and disconnect. Is it deliberate that OpenSSH doesn't do what RFC 4253 says MUST be done? I am still pondering on whether there are other ways to get the hostname communicated across to the server without breaking the integrity of the connection. -- Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev