Name based SSH proxy

Kasper Dupont kasperd at fzcpf.25.may.2015.kasperd.net
Wed May 27 20:09:00 AEST 2015


On 27/05/15 11.07, Dirk-Willem van Gulik wrote:
> As a practical suggestion - we ran for a while with a hack where we abuse the version human readable string with a
> base64 string of a _salted_ hash of the server we where trying to get to. 
> 
> Sharing both salt and hash.
> 
> This let the server figure out the right key to present without too much ado; but without leaking all that much*.  The idea was to make it a tiny bit more costly to get a decent selector really early in a connection.

That approach seems to rely on the proxy knowing the full
list of possible hostnames in advance. In my case the
proxy doesn't know the list of hostnames in advance.

> 
> However - as keeping a few 10?s of packets in state is no longer that costly; key init and exchange always start at a packet; And the DH modulus (identical but for its last for bytes) in the DH group exchange (31) and what not follow soon thereafter; it seems all a bit superfluous.

That sentence I did not understand. Could you elaborate
or explain it differently?

-- 
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);


More information about the openssh-unix-dev mailing list