Cleartext pre-authentication before going to secure mode.

Tomi Ollila Tomi.Ollila at sonera.com
Tue Sep 12 22:49:15 EST 2000 

Hi


This is a feature request.

1) Make sshd to ignore garbage that may appear before ssh identification 
   string is received. Such "garbage" may be for example telnet negotiation
   codes. This should be pretty easy task.

2) Make ssh to work in cleartext mode (and have minimum telnet negotiation
   handling) before it receives ssh identification string. This requires
   somewhat complex work to do.

This way one could for example pass firewall authentication sequence before
connection is passed to the ssh server on the other end -- firewalls cannot
obviously intercept secure communication in order to do that.


For the time being, such feature can be used with my tt4ssh "wrappers" I've 
just completed. The software (BSD licensed) is available at
http://www.iki.fi/too/sw/releases/tt4ssh10.tar.gz and it has the following
programs:

tt4sshd -- listens a port (given at cmd line), when connection arrives,
waits 1/2 secs, reads any "garbage" received, and then execs ssh with
option `-i' to handle the rest of the traffic. The 1/2 sec wait is just
an arbitrary time... The port usually used is the telnet (23) port (???)

tt4ssh -- connects to remote host (default port 23, can be changed),
handles minimum telnet negotiations (changes between line/character mode).
When tt4ssh receives beginning of SSH ident string `SSH-', it launches
ssh 127.0.0.1 -p <port listened by tt4ssh> [rest tt4ssh args] and relays
data between network and this local port.  

This system works quite well for me -- I can pass firewall which does
authentication on telnet port, and then use ssh for communication with
my peer machine. The only problem is that when ssh connects to localhost,
it cannot check whether other end is already known...

A "textshot" of my logging sequence through FW-1 with SecurID
authentication:

home$ ./tt4ssh 192.168.16.6
CLEARTEXT>
CLEARTEXT> 
CLEARTEXT>                     Company Corporate Network
CLEARTEXT>
CLEARTEXT>
CLEARTEXT> Check Point FireWall-1 authenticated Telnet server running on FW
CLEARTEXT>
CLEARTEXT> User: unski
CLEARTEXT> PASSCODE: **********
CLEARTEXT> User unski authenticated by SecurID
CLEARTEXT>
CLEARTEXT> Connected to 192.168.16.6
*** Launching `ssh 127.0.0.1 -p 22222'
unski at 127.0.0.1's password:
Last login: Mon Sep 11 10:35:26 2000 from fw.company.com
work$


Tomi Ollila

More information about the openssh-unix-dev mailing list