Hi list, as revealed earlier this year, secret services are actively scanning the net for vulnerable services in context of programs like CSEC's LANDMARK and GCHQ's HACIENDA [0]. We assume that OpenSSH is one of the most lucrative targets of these programs by using 0-day exploits. Furthermore, there is a long-running worm on the Internet brute-forcing access to systems by guessing usernames and passwords, which thanks to "cloud" computing is virtually impossible to contain. (see, for example, [1]) TCP Stealth is a IETF draft [2] which has to goal of locking out port scanners by introducing a symmetric secret which has to be known to both sides for a connection to succeed. This functionality is mplemented by patching the respective operating system's kernel - in case of Linux this is done by the Knock patch [3] which introduces a new setsockopt(). In order to broaden support for TCP Stealth on the user side, we've created patches for the OpenBSD and Linux versions of OpenSSH which introduce the -z command line option and a new TCPStealthSecret configuration option if the running kernel/libc exports the TCP_STEALTH constant. (PGP-Signatures of the patch are available at the project homepage [3].) We would be glad if the maintainers decided to incorporate our patch into the standard track of OpenSSH. Best regards, Julian --- [0] http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html [1] http://blog.sucuri.net/2013/07/ssh-brute-force-the-10-year-old-attack-that-still-persists.html [2] http://datatracker.ietf.org/doc/draft-kirsch-ietf-tcp-stealth/ [3] https://gnunet.org/knock -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-bsd-knock-patch.diff Type: text/x-patch Size: 13791 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141111/6d495591/attachment-0002.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-linux-knock-patch.diff Type: text/x-patch Size: 19457 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141111/6d495591/attachment-0003.bin>