Cleartext pre-authentication before going to secure mode.

Tomi Ollila Tomi.Ollila at sonera.com
Wed Sep 13 19:17:11 EST 2000 

Tuesday Sep 12 15:54:52 +0200 2000 Markus Friedl <markus at openbsd.org> wrote:

> i don't understand completely what you want, but shouldn't this work
> with ssh's proxy option?

Hmm, it took me a while understanding this ProxyCommand option... in my
case I should write a program that works like a modem dialler script --
when it receives `User:' and 'PASSCODE' -strings, it would automatically
output that info. Progress information could be outputted to terminal using
fd 2 ?

That would solve that `host key management' issue I wrote before.

I'll see what I can come up with that (It probably won't be possible to
pass terminal input to the proxy command?).


The proxycommand is a program that have to stay between the network and
ssh all the time (and disallows ssh to use `getpeername()' to verify the
other end?). I have one additional option to suggest here?

Add an option where ssh could use an already connected file descriptor
for it's communication socket. This means that ssh should still be launched
by an external program, but that program would not be needed to transfer
the data -- and ssh could use normal socket syscalls to manage the fd. That 
would also ease my work -- I already have that `tt4ssh' -- which is very
easy to use -- It would require some simple changes to make it work with
this option.


When passing through FW-1 authenticated Telnet server, 2 things have to be
handled: 1) that server requires that the client that connects to it
answers the telnet negotiation commands that it sends -- otherwise after
connection is made to the end host, no data is passed to it. 2) That telnet
server always sends those telnet negotiation commands to the end host after 
connection -- so if no pre-cleaning of the connection is made, when trying
to send ssh identification string, the end host receives the following
stream (telnet negotiation codes "prettyprinted")

IAC DO ECHO 
IAC DO SUPPRESS GO AHEAD 
SSH-1.5-OpenSSH_2.1.1


That's why I requested that I'd like to see sshd ignore some possible
garbage until it looks like it is receiving an ssh identification string
(in my programs I am checking that SSH- has arrived).


Is there any change for these features -- I can manage with current
functionality, but there might be other people who has the same problem -- 
I'd like to make my program as good (and secure) as possible for
public release -- if tt4ssh -like functionality is not going be 
incorporated into ssh programs.

Tomi

More information about the openssh-unix-dev mailing list