RFC 8305 Happy Eyeballs in OpenSSH

Wolfgang S Rupprecht wolfgang.rupprecht at gmail.com
Wed Feb 28 07:08:57 AEDT 2018


>>> TL;DR: please try the patch out and report if it causes "Did not receive
>>> identification string" log messages.  I believe it does not.

Aw crap.  My homegrown anti-dos tool for ssh looks for either DNRIS or
if logging is verbose enough a connection that didn't result in a
login.  I give the attacker a few tries and whitelist any successful
candidate so I should be ok, but things are getting a bit riskier.

I'm a big fan of happy eyeballs in general so I hope there is some way
to allow happy eyeballs and still stop bots from repeatedly knocking on
the door wasting cpu time.  Simplest would be to never abort the extra
happy eyeballs before actually logging in or the normal ssh connection
timeout.  There may be other ways to accomplish the same thing.

-wolfgang



More information about the openssh-unix-dev mailing list