Name based SSH proxy

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed May 27 05:50:26 AEST 2015


On Mon 2015-05-25 03:39:27 -0400, Kasper Dupont wrote:
> On 25/05/15 09.51, Damien Miller wrote:
>> I don't much like it because it reveals host identity information
>> in the clear.
>
> So does the DNS lookup performed before the TCP connection
> is being established. So that can hardly be considered a
> secret.

I hope we do not introduce a cleartext SNI into the SSH protocol.  This
leaks far too much sensitive metadata for passive monitors.

TLS has cleartext SNI, and it is quite difficult to figure out how to
protect it from passive monitors (and i think impossible to protect from
active attackers who are willing to cause connection failures to learn
the client's intended SNI).  We should not add this additional layer of
metadata leakage to SSH as well.

The argument that the DNS lookup leaks this metadata is a bad argument:
if we followed this line of reasoning, then every problem that has
multiple contributors could never be solved (A says "but my fixing
things is useless if B does nothing", while B says "but my fixing things
is useless if A does nothing" -- a classic collective action problem).

In practice, there is work done today to protect DNS queries as well
(see the DNS Privacy working group in the IETF, the latest versions of
libunbound and the getdns API, etc).  Let's not introduce a new layer of
the same problem.

I think the ProxyCommand Kasper ended up describing (checking for v6
connectivity or using a constrained HTTP CONNECT proxy) is a acceptable
way to go for people in the particular scenario he's concerned about.
Changing everyone else's SSH connections to leak that metadata for the
sake of this corner case would be a bad tradeoff.

Regards,

        --dkg


More information about the openssh-unix-dev mailing list