Re: RFC 8305 Happy Eyeballs in OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



The never abort path won't work. Some SSH systems rely on 2FA/OTP, which
means that there isn't any particular thing that can be reused for the two
sessions (passwords/SSH keys).

Unless ssh wanted to offer a way to say "ohai, that's also me, here's
proof, I'm going now". Which, I think is probably what may be required. And
yes, that would essentially involve a server change, probably adding a
magical credential handler designed for this purpose which allows a token
issued within the past 5(?) minutes to be provided which results in logging
a "happy eyeballs successful connection; disconnect".

I'm sorry I haven't given an absolute answer on IPv6, I'm fairly confident
I'm right about the general problem, but enough of my systems don't support
IPv6 that I can't easily test this. I could probably pay AWS or GCE for two
disparate systems, but the time to set this up of fairly prohibitive.

This stuff does matter to me for a few reasons, I'd like to deploy more
IPv6, I've actually hit a number of rough edges involving happy eyeballs
(DNS stack handling of split horizon can result in some really terrible
outcomes -- especially for SSH, and especially with sshguard), and I
contribute to logwatch...

(I think I still have a big patch pending to OpenSSH...)

On Feb 27, 2018 3:18 PM, "Wolfgang S Rupprecht" <
wolfgang.rupprecht@xxxxxxxxx> wrote:

>
> >>> TL;DR: please try the patch out and report if it causes "Did not
> receive
> >>> identification string" log messages.  I believe it does not.
>
> Aw crap.  My homegrown anti-dos tool for ssh looks for either DNRIS or
> if logging is verbose enough a connection that didn't result in a
> login.  I give the attacker a few tries and whitelist any successful
> candidate so I should be ok, but things are getting a bit riskier.
>
> I'm a big fan of happy eyeballs in general so I hope there is some way
> to allow happy eyeballs and still stop bots from repeatedly knocking on
> the door wasting cpu time.  Simplest would be to never abort the extra
> happy eyeballs before actually logging in or the normal ssh connection
> timeout.  There may be other ways to accomplish the same thing.
>
> -wolfgang
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux