[95205] in cryptography@c2.net mail archive
Re: improving ssh
daemon@ATHENA.MIT.EDU (Jun-ichiro itojun Hagino)
Thu Jul 19 09:32:05 2007
To: edgerck@nma.com
Cc: cryptography@metzdowd.com
In-Reply-To: Your message of "Sat, 14 Jul 2007 11:43:53 -0700"
<46991969.5070502@nma.com>
Date: Tue, 17 Jul 2007 12:52:53 +0900 (JST)
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
i'm an OpenBSD developer, so i have some knowlege but could be biased.
> SSH (OpenSSH) is routinely used in secure access for remote server
> maintenance. However, as I see it, SSH has a number of security issues
> that have not been addressed (as far I know), which create unnecessary
> vulnerabilities.
>
> Some issues could be minimized by turning off password authentication,
> which is not practical in many cases. Other issues can be addressed by
> additional means, for example:
>
> 1. firewall port-knocking to block scanning and attacks
> 2. firewall logging and IP disabling for repeated attacks (prevent DoS,
> block dictionary attacks)
i guess it can be handled in lines of spamd (greylisting) on OpenBSD.
> 3. pre- and post-filtering to prevent SSH from advertising itself and
> server OS
is there any point in this as you can fingerprint OS both actively (nmap)
and passively (p0f)?
> 4. block empty authentication requests
> 5. block sending host key fingerprint for invalid or no username
> 6. drop SSH reply (send no response) for invalid or no username
i can understand your desire, but this is a feature used by some of the
anonymous services such as anonymous CVS. i'd leave it to openssh
developers.
itojun
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
