Tomi Ollila
2000-Sep-12 11:49 UTC
Cleartext pre-authentication before going to secure mode.
Hi This is a feature request. 1) Make sshd to ignore garbage that may appear before ssh identification string is received. Such "garbage" may be for example telnet negotiation codes. This should be pretty easy task. 2) Make ssh to work in cleartext mode (and have minimum telnet negotiation handling) before it receives ssh identification string. This requires somewhat complex work to do. This way one could for example pass firewall authentication sequence before connection is passed to the ssh server on the other end -- firewalls cannot obviously intercept secure communication in order to do that. For the time being, such feature can be used with my tt4ssh "wrappers" I've just completed. The software (BSD licensed) is available at http://www.iki.fi/too/sw/releases/tt4ssh10.tar.gz and it has the following programs: tt4sshd -- listens a port (given at cmd line), when connection arrives, waits 1/2 secs, reads any "garbage" received, and then execs ssh with option `-i' to handle the rest of the traffic. The 1/2 sec wait is just an arbitrary time... The port usually used is the telnet (23) port (???) tt4ssh -- connects to remote host (default port 23, can be changed), handles minimum telnet negotiations (changes between line/character mode). When tt4ssh receives beginning of SSH ident string `SSH-', it launches ssh 127.0.0.1 -p <port listened by tt4ssh> [rest tt4ssh args] and relays data between network and this local port. This system works quite well for me -- I can pass firewall which does authentication on telnet port, and then use ssh for communication with my peer machine. The only problem is that when ssh connects to localhost, it cannot check whether other end is already known... A "textshot" of my logging sequence through FW-1 with SecurID authentication: home$ ./tt4ssh 192.168.16.6 CLEARTEXT> CLEARTEXT> CLEARTEXT> Company Corporate Network CLEARTEXT> CLEARTEXT> CLEARTEXT> Check Point FireWall-1 authenticated Telnet server running on FW CLEARTEXT> CLEARTEXT> User: unski CLEARTEXT> PASSCODE: ********** CLEARTEXT> User unski authenticated by SecurID CLEARTEXT> CLEARTEXT> Connected to 192.168.16.6 *** Launching `ssh 127.0.0.1 -p 22222' unski at 127.0.0.1's password: Last login: Mon Sep 11 10:35:26 2000 from fw.company.com work$ Tomi Ollila
Markus Friedl
2000-Sep-12 13:54 UTC
Cleartext pre-authentication before going to secure mode.
i don't understand completely what you want, but shouldn't this work with ssh's proxy option? On Tue, Sep 12, 2000 at 02:49:15PM +0300, Tomi Ollila wrote:> home$ ./tt4ssh 192.168.16.6 > CLEARTEXT> > CLEARTEXT> > CLEARTEXT> Company Corporate Network > CLEARTEXT> > CLEARTEXT> > CLEARTEXT> Check Point FireWall-1 authenticated Telnet server running on FW > CLEARTEXT> > CLEARTEXT> User: unski > CLEARTEXT> PASSCODE: ********** > CLEARTEXT> User unski authenticated by SecurID > CLEARTEXT> > CLEARTEXT> Connected to 192.168.16.6 > *** Launching `ssh 127.0.0.1 -p 22222' > unski at 127.0.0.1's password: > Last login: Mon Sep 11 10:35:26 2000 from fw.company.com > work$ > > > Tomi Ollila