Request for obfuscating the handshake

Dan Kaminsky dan at doxpara.com
Fri Jan 13 07:41:04 EST 2012


Anything in the mainline OpenSSH code will be adapted to by your
adversaries.  (Put another way, if you want your code to remain functional,
it has to remain a patch.)


On Thu, Jan 12, 2012 at 10:58 AM, iam iranian <x.issuer at gmail.com> wrote:

> Dear OpenSSH team,
>
> First of all thanks a lot for your good work on developing such a usable
> peace of software. Nice job.
> As you may know, we have some issues using OpenSSH in Iran. Recently the
> government did some packet filtering on some protocols, including SSH. We
> don't know what exactly they've done but it appears to be some routing rule
> that prevents SSH protocol to initiate a connection. Its like that the
> handshake packet is dropped.
> Fortunately there is a patch on OpenSSH done by Bruce Leidl (
> https://github.com/brl/obfuscated-openssh) that obfuscates the handshake
> packet and luckily it helps us pass through this annoying packet filtering.
> But sadly this patch isn't implemented in the main project.
>
> We, a group of Iranian OpenSSH users, recommend you to include this useful
> patch in the main project because:
> 0. As Bruce Leidl explains it's true that the communication is secured
> during a session, but before starting a session since the encryption keys
> have not yet been determined, there is no encryption and the handshake
> packets are insecure.
> 1. It's always better to have more options. In this case, having the
> handshake packet obfuscated is an important choice to make.
> 2. The patch nicely adds the ability of obfuscating the handshake and makes
> no harm to the rest of the project. So why not?
> 3. We really want you to do it.
>
> Thank you very much and best regards.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list