openssh unix dev - Mar 2002 - recovering SSH2 sessions while knowing the key and how to have it

Hello all,

I hope it is the right forum to ask the question, since it is more about
openssh internals then about usage.

I want to do a weird thing with my openssh daemon for the honeypot setup.
Namely, I want it to covertly broadcast the session key, so that, upon
sniffing the session, the contents can be recovered.

My C skills will be sufficient to find a session key by digging into the
ssh source. But my problem is building a recovery tool. Honestly, I have
no idea how to approach it, while I have some idea about ssh protocol.
Thus, I would appreciate *ANY* feedback on that, even a pile of ideas is
better than what I have now.

P.S. If you are familiar with honeynet setup, please do not suggest that I
use LKM or a trojaned bash to do the session recovery. I will! I just need
a second layer of defense here. Also, recovering scp-ed files is kinda
tricky via LKM.

Thanks a lot in advance. I will appreciate any help!

Best,
P.S. Please, do answer directly to me as well as to the list.
--
     Anton A. Chuvakin, Ph.D.
     http://www.chuvakin.org
   http://www.info-secure.org

On Thu, Mar 14, 2002 at 10:22:31AM -0500, Anton Chuvakin
wrote:
> I want to do a weird thing with my openssh daemon for the honeypot setup.
> Namely, I want it to covertly broadcast the session key, so that, upon
> sniffing the session, the contents can be recovered.
for protocol 1 all you need is
	session_key[] from sshd.c
for protocol 2 you have to check
	derive_key() from kex.c

Markus and other esteemed members of openssh-dev,

Thanks a lot for the response. I am sorry that my question was a bit vague
and open-ended (admittedly, not a good idea for such a mailing list).
>>Namely, I want it to covertly broadcast the session key, so
>>sniffing the session, the contents can be recovered.
>for protocol 1 all you need is
>for protocol 2 you have to check
Thanks for the tip. But (as I even pointed out in my message), knowing the
key will not get me very far, since I will end up with a bunch of traffic
dumps and a key. Is there any way (that you can think of) to use ssh
itself to recover the session from those files? It pains me to think that
the only solution will be to write a code to do it from scratch using
SSH2 protocol knowledge. ;-) BTW, I have tools to recover ssh1 sessions
and my main interest is in ssh2.

Best,
-- 
     Anton A. Chuvakin, Ph.D.
     http://www.chuvakin.org
   http://www.info-secure.org

On Mon, Mar 18, 2002 at 12:50:09PM -0500, Anton Chuvakin
wrote:
> Thanks for the tip. But (as I even pointed out in my message), knowing the
> key will not get me very far, since I will end up with a bunch of traffic
> dumps and a key. Is there any way (that you can think of) to use ssh
> itself to recover the session from those files?
yes, just hack ssh. ssh-privsep (soon in openssh-portable)
passes keystate between
the unprivilegued processes.