Name based SSH proxy

Kasper Dupont kasperd at fzcpf.25.may.2015.kasperd.net
Wed May 27 22:11:27 AEST 2015


On 27/05/15 12.41, Dirk-Willem van Gulik wrote:
> One could argue that putting the host name as plain text in the initial unencrypted exchange is leaking something (ignoring the DNS aspect here). 
> 
> As this a) reveals whom you are talking to and b) may be a good trigger/selector for something pen-register/trap/trace.
> 
> However a bit later in the exchange we get, in the clear, a somewhat finger printable list of possible cyphers supported (Key Exchange Init) is flashed by the server in the clear. Followed a packet later by the Diffie-Hellman Group Exchange Group; which contains the DH modulus in the clear (from the list of some 200 pre calculated safe primes, ?ssh/moduli'; in groups of 40; that are identical but for the last 4 bytes or so).
>  
> So I guess that that makes not revealing some identifier as to whom you want to talk a bit of a moot point; as a few packets later it is revealed anyway.

Got it. And not to forget the host public key of the server
is also being sent in clear during the key exchange.

-- 
Kasper Dupont -- Rigtige mænd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
char*_="@2kaspner"_()"%03"_("4s%.")"t\n";printf(_+11,_+6,_,12,_+2,_+7,_+6);


More information about the openssh-unix-dev mailing list