[PATCH] add support for VersionAddendum to the client to support SNI & other uses

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Aug 8 02:13:37 AEST 2017


On Sun 2017-08-06 13:59:30 -0500, Erik Paulson wrote:
> Daniel Gillmor at the time suggested that if this was to be done for
> OpenSSH, using the VersionAddendum mechanism might be a good way to do it:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-November/031811.html
>
> This patch does that.
>
> For example, a user might want to do
> ssh -oVersionAddendum=X-Host:realhost.site.com sharedIpAddr.site.com
>
> With the patch, someone who wanted to put in place a quick proxy running on
> port 22 of sharedIpAddr.site.com that looked for a string like
> X-Host:realhost.site.com
> could then proxy the connection to realhost.site.com.
>
> The patch supports '%h' per Daniel's suggestion, so you can do:
> ssh -oVersionAddendum=Host:%h server.example.net
>
> or just put VersionAddendum in your configuration file.
>
> The caveats that Daniel warned about in 2013 are still true - this may not
> be something an admin wants to turn on by default so you're not leaking the
> actual host you're connecting to over the unencrypted banner exchange
> (though if you have a shared secret with the proxy you could encrypt the
> host string). Also, because the banner strings are used as part of the key
> exchange if the proxy sends something different than what the actual end
> host sends key exchange will fail.

for the record, i do *not* think this is a good idea to add to SSH.
we've got a lot of work ahead of us in TLS to fix all the cleartext data
that leaks in the handshake.

SSH is actually doing the right thing here by *not* leaking data in the
handshake, and it'd be a shame to see it backslide.  Arguably, the
version strings should be made even more generic to avoid leaking
identifiable information.

> SNI is my use case, but other use cases where having some additional
> headers early in the protocol might be out there and this could be a way to
> help prototype them.

please, let's not add additional cleartext data in the ssh handshake.
anonymous DH first, then pass whatever parameters you like.  SSH is
already doing this right, let's not go backward.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170807/8c4fcbcf/attachment.asc>


More information about the openssh-unix-dev mailing list