Name based SSH proxy

Kasper Dupont kasperd at kdxdx.23.may.2015.kasperd.net
Wed May 27 09:22:34 AEST 2015


On 26/05/15 18.29, Daniel Kahn Gillmor wrote:
> On Tue 2015-05-26 17:42:40 -0400, Kasper Dupont wrote:
> > But it does not address all my requirements. I have a
> > requirement that the hostname being used must be visible
> > to the administrator of the SSH server. And it must be
> > visible with minimal effort without requiring any software
> > changes on the server.
> 
> The patch you're sending is a software change :)

My requirements only said no software changes on the server.
It was clear to me very early on, that some changes were
needed on the client side.

Whether the client side changes can be done as a
ProxyCommand remains an open question. But it is certain
that a modification of the ssh client would cover all my
needs.

> 
> 
> > But there are not many opportunities for a proxy to inject
> > data into the data stream from client to server without
> > breaking integrity checks on the packets.
> 
> no, the proxycommand has to wrap the ssh traffic in an outer-layer
> tunnel.

I need the proxy to communicate with an unmodified server.
And I need this communication to include the hostname for
the administrator of said server to see. Whether the
administrator would have to look in a logfile or a packet
capture in order to see the hostname is not important.

I believe that once I have an answer to how the proxy can
communicate the hostname to the server, then everything
else will follow.

> > I am still pondering on whether there are other ways to
> > get the hostname communicated across to the server without
> > breaking the integrity of the connection.
> 
> If you're going to prevent passive attackers from sniffing it, it would
> have to be done after the key exchange, which would suggest that the
> proxy would need to know the secret key material for the session.  That
> seems like a bad outcome either way.

None of my requirements say the hostname must remain hidden
from a passive attacker. So for me it only makes sense to
first look for a solution which satisfy my requirements, and
only once the requirements are satisfied look for ways to
improve the solution to have other nice properties.

Sending the hostname after key exchange is impossible. The
proxy need to know which server to communicate with, that's
the point of sending the hostname in the first place. That
means key exchange can only start after the hostname has
been sent to the proxy.


I don't yet know a way to acheive my desired result using
just a ProxyCommand. But with the following change and a
ProxyCommand, I believe I would be able to achieve what I
am looking for.

diff -up openssh-6.6p1/sshconnect.c.original openssh-6.6p1/sshconnect.c
--- openssh-6.6p1/sshconnect.c.original	2015-05-23 11:56:55.235217137 +0200
+++ openssh-6.6p1/sshconnect.c	2015-05-27 01:14:02.563652677 +0200
@@ -560,6 +560,9 @@ ssh_exchange_identification(int timeout_
 	if (options.protocol == SSH_PROTO_2) {
 		enable_compat20();
 		send_client_banner(connection_out, 0);
+		packet_send_ignore(0);
+		packet_send();
+		packet_write_wait();
 		client_banner_sent = 1;
 	}

The question then is, would the security implications of
adding these three lines be much worse than my original
patch?
 
-- 
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);


More information about the openssh-unix-dev mailing list