Re: Patching a SSH 'Weakness'

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: johan beisser <jb@...>

To: <neffk@...>

Cc: <misc@...>

Subject: Re: Patching a SSH 'Weakness'

Date: Friday, September 12, 2008 - 5:32 pm

On Sep 12, 2008, at 7:02 AM, Kevin Neff wrote:

> Thanks for all the comments. I think we're all pretty much on the

quoted text

> same
> page.
>
> First order of business is to look at how much of a weakness this
> may be.
> Then, implement several potential solutions. Finally, test to see
> if the
> "fixes" improved the situation.

Sorry, I'm finally at my real mail client. It's not a "real"
vulnerability, imho. Merely a way to time and attack the individual
keystrokes. I suspect you could ID individual users, if not figure out
passwords, etc.

If you're that concerned about your ssh session, multiplex the tunnel
and have an expect script randomly execute remote commands through it.
Your interactive shell will be the "real" session, with expect
throwing interactive "noise." No real additional setup required, just
using multiplexed tunneling in ssh(1)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Patching a SSH 'Weakness', Kevin Neff, (Wed Sep 10, 3:58 pm)

Re: Patching a SSH 'Weakness', Mike M, (Fri Sep 12, 8:01 am)

Re: Patching a SSH 'Weakness', Kevin Neff, (Fri Sep 12, 10:02 am)

Re: Patching a SSH 'Weakness', johan beisser, (Fri Sep 12, 5:32 pm)

Re: Patching a SSH 'Weakness', STeve Andre', (Wed Sep 10, 10:56 pm)

Re: Patching a SSH 'Weakness', Giancarlo Razzolini, (Thu Sep 11, 11:06 am)

Re: Patching a SSH 'Weakness', Damien Miller, (Thu Sep 11, 2:28 am)

Re: Patching a SSH 'Weakness', STeve Andre', (Thu Sep 11, 8:50 am)

Re: Patching a SSH 'Weakness', Aaron Glenn, (Thu Sep 11, 12:40 am)

Re: Patching a SSH 'Weakness', Johan Beisser, (Thu Sep 11, 1:35 am)

Re: Patching a SSH 'Weakness', Hari, (Wed Sep 10, 9:06 pm)

Re: Patching a SSH 'Weakness', Paul de Weerd, (Thu Sep 11, 4:49 am)

Re: Patching a SSH 'Weakness', Darrin Chandler, (Wed Sep 10, 10:21 pm)

Re: Patching a SSH 'Weakness', Marco Peereboom, (Wed Sep 10, 9:50 pm)

Re: Patching a SSH 'Weakness', Damien Miller, (Wed Sep 10, 8:59 pm)


linux-kernel:
Mike Galbraith	Re: regression: CD burning (k3b) went broke
Andi Kleen	[PATCH] [3/22] x86_64: Kill temp boot pmds
Alan Cox	Re: [PATCH][RFC] 4K stacks default, not a debug thing any more...?
Greg Kroah-Hartman	[PATCH 004/196] Chinese: add translation of SubmittingPatches
git:

openbsd-misc:

linux-netdev:
David Miller	[GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 05/37] dccp: Cleanup routines for feature negotiation
Brandeburg, Jesse	RE: [PATCH] e1000e: test MSI interrupts

Re: Patching a SSH 'Weakness'

Online users