On Sun 2017-08-06 13:59:30 -0500, Erik Paulson wrote: > Daniel Gillmor at the time suggested that if this was to be done for > OpenSSH, using the VersionAddendum mechanism might be a good way to do it: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-November/031811.html > > This patch does that. > > For example, a user might want to do > ssh -oVersionAddendum=X-Host:realhost.site.com sharedIpAddr.site.com > > With the patch, someone who wanted to put in place a quick proxy running on > port 22 of sharedIpAddr.site.com that looked for a string like > X-Host:realhost.site.com > could then proxy the connection to realhost.site.com. > > The patch supports '%h' per Daniel's suggestion, so you can do: > ssh -oVersionAddendum=Host:%h server.example.net > > or just put VersionAddendum in your configuration file. > > The caveats that Daniel warned about in 2013 are still true - this may not > be something an admin wants to turn on by default so you're not leaking the > actual host you're connecting to over the unencrypted banner exchange > (though if you have a shared secret with the proxy you could encrypt the > host string). Also, because the banner strings are used as part of the key > exchange if the proxy sends something different than what the actual end > host sends key exchange will fail. for the record, i do *not* think this is a good idea to add to SSH. we've got a lot of work ahead of us in TLS to fix all the cleartext data that leaks in the handshake. SSH is actually doing the right thing here by *not* leaking data in the handshake, and it'd be a shame to see it backslide. Arguably, the version strings should be made even more generic to avoid leaking identifiable information. > SNI is my use case, but other use cases where having some additional > headers early in the protocol might be out there and this could be a way to > help prototype them. please, let's not add additional cleartext data in the ssh handshake. anonymous DH first, then pass whatever parameters you like. SSH is already doing this right, let's not go backward. --dkg
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
