ssh_ignore and accessing Foundry ssh clients
Guy Gascoigne-Piggford
ggp@tripwire.com
Tue, 26 Nov 2002 15:51:45 -0800
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C295A6.C6FB6870
Content-Type: text/plain
We have a customer who is using our app (which contains mindterm 2.2
comercial) to access an ssh client on a foundry router that claims to be ssh
version 1.5. This appears to pad passwords with a random number of
ssh_ignore packets and causes mindterm to fail to connect.
Is there an option in mindterm (like there is in PuTTY) to ignore the
barrage of ignore messages?
BTW this is the snippet off the Foundry site.
---
Q: I cannot connect to my Cisco or Foundry device, what is wrong? A:
Problem is that our client, and some other clients and servers like to add
some data around the password so that it would be even more difficult to
extract the password by a possible eavesdropper. As you know, there has been
lot of hassle about traffic analysis against SSH traffic. Traffic analysis
being invented in the beginning of last century, it is no wonder that
methods to make it harder have also been added to the SSH draft. So,
password masking (it's being called), actually follows the draft and is
standard behaviour for SSH applications.
Password "masking":
The f-secure ssh client adds random number of ssh_ignore packets around the
password packet to make harder to guess which of the packets is the packet
which contains the user's password. The ssh_ignore message is defined in the
ssh 1.5 protocol draft and every implementation must handle these messages
correctly but it seems that some ssh1 implementations does not support that.
---
Thanks - Guy
--
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it." - Brian W. Kernighan
------_=_NextPart_001_01C295A6.C6FB6870
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=556174723-26112002><FONT face=Arial size=2>We have a customer
who is using our app (which contains mindterm 2.2 comercial) to access an ssh
client on a foundry router that claims to be ssh version 1.5. This appears
to pad passwords with a random number of ssh_ignore packets and causes mindterm
to fail to connect.</FONT></SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=556174723-26112002><FONT face=Arial size=2>Is there an option
in mindterm (like there is in PuTTY) to ignore the barrage of ignore
messages?</FONT></SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=556174723-26112002><FONT face=Arial size=2>BTW this is the
snippet off the Foundry site.</FONT></SPAN></DIV>
<DIV><SPAN class=556174723-26112002><FONT face=Arial
size=2>---</FONT></SPAN></DIV>
<DIV><SPAN class=556174723-26112002><B>
<P>Q:</B> I cannot connect to my Cisco or Foundry device, what is wrong?
<B>A:</B> </P>
<P>Problem is that our client, and some other clients and servers like to add
some data around the password so that it would be even more difficult to extract
the password by a possible eavesdropper. As you know, there has been lot of
hassle about traffic analysis against SSH traffic. Traffic analysis being
invented in the beginning of last century, it is no wonder that methods to make
it harder have also been added to the SSH draft. So, password masking (it's
being called), actually follows the draft and is standard behaviour for SSH
applications. </P><B>
<P>Password "masking":</B> </P>
<P>The f-secure ssh client adds random number of ssh_ignore packets around the
password packet to make harder to guess which of the packets is the packet which
contains the user's password. The ssh_ignore message is defined in the ssh 1.5
protocol draft and every implementation must handle these messages correctly but
it seems that some ssh1 implementations does not support that. </P>
<P><SPAN class=556174723-26112002><FONT face=Arial size=2>---</FONT></SPAN></P>
<P><SPAN class=556174723-26112002><FONT face=Arial size=2>Thanks -
Guy</FONT></SPAN></P>
<P></SPAN>-- </P></DIV>
<DIV align=left>"Debugging is twice as hard as writing the code in the first
place. Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it." - Brian W. Kernighan </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>
------_=_NextPart_001_01C295A6.C6FB6870--