Contributed by rueda on from the sigint-- dept.
Damien Miller (djm@) has
committed
support for keystroke timing obfuscation to
ssh(1):
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2023/08/27 21:31:16 Modified files: usr.bin/ssh : clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h ssh_config.5 Log message: Add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/ feedback/ok markus@
This utilises a pair of new extensions to the SSH protocol:
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2023/08/27 21:28:43 Modified files: usr.bin/ssh : PROTOCOL kex.c kex.h packet.c ssh2.h Log message: Introduce a transport-level ping facility This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". ok markus@
Yet another fine example of security by trickery, and one more reason to look forward to the next OpenBSD release. Other systems will likely see this soon after via openssh-portable.
(Comments are closed)
By Amit Kulkarni (amitkulz) on
Woooot. The first in practical security solutions.
By Peter J. Philipp (pjp) nospam@delphinusdns.org on
This is great, and as soon as I saw the commit I mailed djm@ that I think this was a great addition. However great, there is one computer in my household that cannot use it, and it's a tradeoff. The reason is that my Netgear switch blinks per packet, and the switch is right in my field of vision as one of two in my household. The core switch is OK I don't see it all the time but the office switch if there is a lot of packets bursting makes me think there is a large download from my workstation. It's a bit of an eyesore and I turned chaff off for this workstation. I'll have to get in contact with Netgear on how to stop the blinking on the leds in this switch, at first search I didn't find it.
Good job djm! Thank you!
Comments
By Janne Johansson (jj) jj@stacken.kth.se on http://www.inet6.se
A piece of tape or colored paper covering the LEDs go quite far, compared to asking cheap switch vendors to change their code.
Comments
By Matt Park (mattjpark) matthew.james.park@gmail.com on
You never know. Peter may be the type of guy to apply to Netgear and get hired, add his feature/fix on the first day then put in his 2 week notice.
Comments
By Peter J. Philipp (pjp) nospam@delphinusdns.org on
You never know...
By Peter J. Philipp (pjp) nospam@delphinusdns.org on
I'm gonna move it out of my field of vision, I just need to clean up a bit and untangle cables. :P
Best Regards,
-peter