[Bug 2745] New: [PATCH] add support for VersionAddendum to the client

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Jul 19 13:01:35 AEST 2017 

https://bugzilla.mindrot.org/show_bug.cgi?id=2745

            Bug ID: 2745
           Summary: [PATCH] add support for VersionAddendum to the client
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: All
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: epaulson at unit1127.com

Created attachment 3015
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3015&action=edit
patch to support versionaddendum in client

A few years back, there was discussion on the mailing list about adding
SNI support to SSH by fiddling with the version banner exchange at the
very beginning of the protocol exchange, before the encrypted channel
is created. Daniel Gillmor at the time suggested that if this was to be
done, using the VersionAddendum mechanism might be a good way to do it:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-November/031811.html

This patch does that. 

For example, a user might want to do
ssh -oVersionAddendum=X-Host:realhost.site.com sharedIpAddr.site.com

With the patch, someone who wanted to put in place a quick proxy
running on port 22 of sharedIpAddr.site.com that looked for a string
like
X-Host:realhost.site.com 
could then proxy the connection to realhost.site.com. 

The patch supports '%h' per Daniel's suggestion, so you can do:
ssh -oVersionAddendum=Host:%h server.example.net

or just put VersionAddendum in your configuration file. 

The caveats that Daniel warned are still true - this may not be
something an admin wants to turn on by default so you're not leaking
the actual host you're connecting to over the unencrypted banner
exchange (though if you have a shared secret with the proxy you could
encrypt the host string). Also, because the banner strings are used as
part of the key exchange if the proxy sends something different than
the actual end host sends key exchange will fail. 

I largely copied the code from how the server side handles
VersionAddendum. The big change is that I passed around the 'host'
variable in ssh_connect.c so the %h expansion would work when the
banner string is actually constructed - if there's a global I could
read from I wouldn't need to change the calls up the stack. Other
expansions don't work, like %u or %p, because the data for those are
not passed along right now.

I didn't add anything to ssh_api.c - it doesn't look like that file
uses the config settings so I don't think VersionAddendum would get
picked up there, but maybe I'm not reading it right. 

Subscriptions to the mailing list are not working right now so I
haven't posed this to the list, but hopefully after the server
migration stuff is worked out I'll be able to subscribe and send this
there.

If it's easier for folks to read or use, this patch is in the
client_version_addendum branch here:
https://github.com/epaulson/openssh-portable/commit/69daef3b8a99d6c85f357f200c4aaa06fe28eaff

Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list