Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #36435

Re: Guaranteeing SSH access to specific clients

From Harold Johanssen <noemail@please.net>
Newsgroups comp.os.linux.misc
Subject Re: Guaranteeing SSH access to specific clients
Date 2022-12-09 22:03 +0000
Organization Aioe.org NNTP Server
Message-ID <tn0bbn$btf$1@gioia.aioe.org> (permalink)
References <tmtf02$1ufi$1@gioia.aioe.org> <tmvhru$ccf$1@gioia.aioe.org> <tmvl0f$16evk$1@dont-email.me>

Show all headers | View raw

On Fri, 9 Dec 2022 17:42:05 +0200, Tauno Voipio wrote:

> On 9.12.2022 16.48, Harold Johanssen wrote:
>> On Thu, 8 Dec 2022 19:47:14 -0000 (UTC), Harold Johanssen wrote:
>> 
>>> I don't know whether this is reasonable possible, but I thought I'd
>>> ask anyway, just in case:
>>>
>>> 	Is it possible to guarantee SSH to a specific client, to the
>>> exclusion of all other clients? In effect, all other connection would
>>> be immediately rejected, even before the SSH protocol exchange gets
>>> going. The following requirements must be met:
>>>
>>> 	- The SSH server must be listening on port 22.
>>> 	- The target client may connect from different, arbitrary IP
>>> addresses.
>>>
>>> 	This would be easily possible with tweaked SSH servers and
>>> clients, but I am not sure it can be done with off-the-shelf ones.
>> 
>> 	Thank everybody for your suggestion. Here's what I am going to do:
>> 
>> 	Since I am talking about a particular Linux SSH server that I
>> fully control, and a particular Linux SSH client that I also fully
>> control, I am going to make use of the SSH identification string. Since
>> this string contemplates an optional field where one can put anything
>> (with the constraints mentioned in the relevant RFC) I will use the
>> contents of that string to filter out incoming connections.
>> 
>> 	Initially I will use some arbitrary, fixed string - the changes
>> to the SSH client and server codes to support this are trivial. Later
>> on I could use a OTP-like scheme, which would not be much more
>> difficult to pull off. Either way, my server will reject pests before
>> the SSH protocol exchange gets going (which is elaborate and
>> computationally intensive) and my client will still work with standard
>> SSH servers. I'll have to maintain that code, but that will be a nice
>> entertainment.
> 
> There is a such mechanism already in SSH. Google for 'passswordless ssh
> login'. The generated cryptographic keys are far more secure than an
> invented string.

	That does not prevent the computationally expensive secure 
channel establishment exchanges from taking place, for the authentication 
mechanisms exchange phase happens after the secure channel has been 
created.

	Notice what I want to do does not replace the authentication 
mechanisms already in place in the ssh protocol - I am just aiming to 
slam the door on intruders as early in the connection as possible. Once a 
connection is accepted by virtue of the mechanism described above, the 
rest is pure ssh.

Back to comp.os.linux.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-08 19:47 +0000
  Re: Guaranteeing SSH access to specific clients "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-08 16:31 -0500
    Re: Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-09 01:20 +0000
      Re: Guaranteeing SSH access to specific clients "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-08 21:43 -0500
      Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-09 03:34 +0000
      Re: Guaranteeing SSH access to specific clients stepore <stepore@be.here.now> - 2022-12-08 19:34 -0800
      Re: Guaranteeing SSH access to specific clients "Carlos E.R." <robin_listas@es.invalid> - 2022-12-09 04:42 +0100
        Re: Guaranteeing SSH access to specific clients "26C.Z969" <26C.Z969@noaada.net> - 2022-12-09 01:53 -0500
      Re: Guaranteeing SSH access to specific clients Henning Hucke <h_hucke+spam.news@newsmail.aeon.icebear.org> - 2022-12-09 06:43 +0000
      Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 13:29 +0000
      Re: Guaranteeing SSH access to specific clients Allodoxaphobia <trepidation@example.net> - 2022-12-09 13:55 +0000
        Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-09 14:08 +0000
    Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-09 03:34 +0000
      Re: Guaranteeing SSH access to specific clients Andreas Kohlbach <ank@spamfence.net> - 2022-12-09 12:44 -0500
        Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 17:52 +0000
  Re: Guaranteeing SSH access to specific clients Andreas Kohlbach <ank@spamfence.net> - 2022-12-08 22:31 -0500
  Re: Guaranteeing SSH access to specific clients Richard Kettlewell <invalid@invalid.invalid> - 2022-12-09 12:36 +0000
  Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 13:27 +0000
  Re: Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-09 14:48 +0000
    Re: Guaranteeing SSH access to specific clients Tauno Voipio <tauno.voipio@notused.fi.invalid> - 2022-12-09 17:42 +0200
      Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 17:36 +0000
        Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-09 19:35 +0000
          Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-10 09:53 +0000
            Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-10 13:58 +0000
            Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-10 14:08 +0000
              Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-10 14:15 +0000
            Re: Guaranteeing SSH access to specific clients Andreas Kohlbach <ank@spamfence.net> - 2022-12-10 19:25 -0500
              Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-11 00:53 +0000
                Re: Guaranteeing SSH access to specific clients "Carlos E.R." <robin_listas@es.invalid> - 2022-12-11 10:37 +0100
                Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-11 12:50 +0000
                Re: Guaranteeing SSH access to specific clients "Carlos E.R." <robin_listas@es.invalid> - 2022-12-11 20:55 +0100
                Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-12 09:35 +0000
                Re: Guaranteeing SSH access to specific clients Richard Kettlewell <invalid@invalid.invalid> - 2022-12-13 08:36 +0000
                Re: Guaranteeing SSH access to specific clients "Carlos E. R." <robin_listas@es.invalid> - 2022-12-15 18:09 +0100
      Re: Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-09 22:03 +0000
        Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-10 09:56 +0000
          Re: Guaranteeing SSH access to specific clients Ted Heise <theise@panix.com> - 2022-12-16 18:40 +0000

csiph-web