OpenBSD Journal

Keystroke timing obfuscation added to ssh(1)

Contributed by rueda on from the sigint-- dept.

Damien Miller (djm@) has committed support for keystroke timing obfuscation to ssh(1):

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2023/08/27 21:31:16

Modified files:
	usr.bin/ssh    : clientloop.c misc.c misc.h packet.c packet.h 
	                 readconf.c readconf.h ssh_config.5 

Log message:
Add keystroke timing obfuscation to the client.

This attempts to hide inter-keystroke timings by sending interactive
traffic at fixed intervals (default: every 20ms) when there is only a
small amount of data being sent. It also sends fake "chaff" keystrokes
for a random interval after the last real keystroke. These are
controlled by a new ssh_config ObscureKeystrokeTiming keyword/

feedback/ok markus@

This utilises a pair of new extensions to the SSH protocol:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2023/08/27 21:28:43

Modified files:
	usr.bin/ssh    : PROTOCOL kex.c kex.h packet.c ssh2.h 

Log message:
Introduce a transport-level ping facility

This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".

ok markus@

Yet another fine example of security by trickery, and one more reason to look forward to the next OpenBSD release. Other systems will likely see this soon after via openssh-portable.

(Comments are closed)


Comments
  1. By Amit Kulkarni (amitkulz) on

    Woooot. The first in practical security solutions.

  2. By Peter J. Philipp (pjp) nospam@delphinusdns.org on

    This is great, and as soon as I saw the commit I mailed djm@ that I think this was a great addition. However great, there is one computer in my household that cannot use it, and it's a tradeoff. The reason is that my Netgear switch blinks per packet, and the switch is right in my field of vision as one of two in my household. The core switch is OK I don't see it all the time but the office switch if there is a lot of packets bursting makes me think there is a large download from my workstation. It's a bit of an eyesore and I turned chaff off for this workstation. I'll have to get in contact with Netgear on how to stop the blinking on the leds in this switch, at first search I didn't find it.

    Good job djm! Thank you!

    Comments
    1. By Janne Johansson (jj) jj@stacken.kth.se on http://www.inet6.se

      A piece of tape or colored paper covering the LEDs go quite far, compared to asking cheap switch vendors to change their code.

      Comments
      1. By Matt Park (mattjpark) matthew.james.park@gmail.com on

        You never know. Peter may be the type of guy to apply to Netgear and get hired, add his feature/fix on the first day then put in his 2 week notice.

        Comments
        1. By Peter J. Philipp (pjp) nospam@delphinusdns.org on

          You never know...

      2. By Peter J. Philipp (pjp) nospam@delphinusdns.org on

        I'm gonna move it out of my field of vision, I just need to clean up a bit and untangle cables. :P

        Best Regards,
        -peter

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]