Name based SSH proxy

[Kasper Dupont]

On 26/05/15 15.50, Daniel Kahn Gillmor wrote:
> The argument that the DNS lookup leaks this metadata is a bad argument:
> if we followed this line of reasoning, then every problem that has
> multiple contributors could never be solved (A says "but my fixing
> things is useless if B does nothing", while B says "but my fixing things
> is useless if A does nothing" -- a classic collective action problem).

That sort of excuse certainly exists out there. In fact
that's the only reason anybody is still using IPv4. If
people had put just a little bit more effort into long
term solutions, we would all have been running IPv6 years
ago.

And in that case, we wouldn't be having this discussion,
because there would be enough IP addresses that SNI would
never have been invented.

This leads me to my next question. Would it be sensible to
modify my patch to make it configurable with three options
for when to send the hostname? The three options I would
have in mind are: always, only on IPv4, and never.

> 
> In practice, there is work done today to protect DNS queries as well
> (see the DNS Privacy working group in the IETF, the latest versions of
> libunbound and the getdns API, etc).

I haven't seen any of the work done in those areas. But
considering how little traction DNSSEC has, I would
imagine that DNS privacy initiatives would take decades
to get any traction.

If you have any pointers, I am very curious as to exactly
how they intend to do get any privacy into the DNS
protocol.

> 
> I think the ProxyCommand Kasper ended up describing (checking for v6
> connectivity or using a constrained HTTP CONNECT proxy) is a acceptable
> way to go for people in the particular scenario he's concerned about.

But it does not address all my requirements. I have a
requirement that the hostname being used must be visible
to the administrator of the SSH server. And it must be
visible with minimal effort without requiring any software
changes on the server.

Sending the hostname in clear from proxy to server would
address that concern.

But there are not many opportunities for a proxy to inject
data into the data stream from client to server without
breaking integrity checks on the packets.

Assuming I could find a way to embed that information
inside the stream from proxy to server, then there is
nothing stopping me from embeding the information inside
the connection from client to proxy as well. And it would
certainly be desirable for me if the proxy did not have to
modify the data in transit at all.

So if I could write a ProxyCommand which would embed the
hostname into the stream from client to proxy, then the
proxy could simply pick out the hostname and pass the
traffic unmodified to the server.

I carefully read the relevant RFCs in order to figure out
which information is covered by integrity checks and which
is not. I found a method which would work according to the
RFC, but it turns out OpenSSH doesn't behave as specified
by the RFC.

One thing I found was RFC 4253 saying:

   An implementation MUST respond to all unrecognized messages with an
   SSH_MSG_UNIMPLEMENTED message in the order in which the messages were
   received.  Such messages MUST be otherwise ignored.  Later protocol
   versions may define other meanings for these message types.

However what I found OpenSSH to be doing was for every
unrecognized message it would either ignore it and not
send an SSH_MSG_UNIMPLEMENTED, or send an error and
disconnect.

Is it deliberate that OpenSSH doesn't do what RFC 4253
says MUST be done?

I am still pondering on whether there are other ways to
get the hostname communicated across to the server without
breaking the integrity of the connection.

-- 
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);