On 26/05/15 18.29, Daniel Kahn Gillmor wrote: > On Tue 2015-05-26 17:42:40 -0400, Kasper Dupont wrote: > > But it does not address all my requirements. I have a > > requirement that the hostname being used must be visible > > to the administrator of the SSH server. And it must be > > visible with minimal effort without requiring any software > > changes on the server. > > The patch you're sending is a software change :) My requirements only said no software changes on the server. It was clear to me very early on, that some changes were needed on the client side. Whether the client side changes can be done as a ProxyCommand remains an open question. But it is certain that a modification of the ssh client would cover all my needs. > > > > But there are not many opportunities for a proxy to inject > > data into the data stream from client to server without > > breaking integrity checks on the packets. > > no, the proxycommand has to wrap the ssh traffic in an outer-layer > tunnel. I need the proxy to communicate with an unmodified server. And I need this communication to include the hostname for the administrator of said server to see. Whether the administrator would have to look in a logfile or a packet capture in order to see the hostname is not important. I believe that once I have an answer to how the proxy can communicate the hostname to the server, then everything else will follow. > > I am still pondering on whether there are other ways to > > get the hostname communicated across to the server without > > breaking the integrity of the connection. > > If you're going to prevent passive attackers from sniffing it, it would > have to be done after the key exchange, which would suggest that the > proxy would need to know the secret key material for the session. That > seems like a bad outcome either way. None of my requirements say the hostname must remain hidden from a passive attacker. So for me it only makes sense to first look for a solution which satisfy my requirements, and only once the requirements are satisfied look for ways to improve the solution to have other nice properties. Sending the hostname after key exchange is impossible. The proxy need to know which server to communicate with, that's the point of sending the hostname in the first place. That means key exchange can only start after the hostname has been sent to the proxy. I don't yet know a way to acheive my desired result using just a ProxyCommand. But with the following change and a ProxyCommand, I believe I would be able to achieve what I am looking for. diff -up openssh-6.6p1/sshconnect.c.original openssh-6.6p1/sshconnect.c --- openssh-6.6p1/sshconnect.c.original 2015-05-23 11:56:55.235217137 +0200 +++ openssh-6.6p1/sshconnect.c 2015-05-27 01:14:02.563652677 +0200 @@ -560,6 +560,9 @@ ssh_exchange_identification(int timeout_ if (options.protocol == SSH_PROTO_2) { enable_compat20(); send_client_banner(connection_out, 0); + packet_send_ignore(0); + packet_send(); + packet_write_wait(); client_banner_sent = 1; } The question then is, would the security implications of adding these three lines be much worse than my original patch? -- Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer #define _(_)"d.%.4s%."_"2s" /* This is my email address */ char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev