[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Patch: for SSH 2.0, send client banner immediately and save a round-trip


Hello everyone,

The SSH protocol version 2 standards allow client banner send immediately, no need to wait server responses its version identification first:

5.2. New Client, Old Server

Since the new client MAY immediately send additional data after its identification string (before receiving the server's identification string)...

And this is also the default behavior after OpenSSH 6.2 client:

 * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
   now immediately sends its SSH protocol banner to the server without
   waiting to receive the server's banner, saving time when connecting.

Following code was abstracted from OpenSSH 6.9, in function ssh_exchange_identification

/*
* If we are SSH2-only then we can send the banner immediately and
* save a round-trip.
*/
if (options.protocol == SSH_PROTO_2) {
enable_compat20();
send_client_banner(connection_out, 0);
client_banner_sent = 1;
}

/* Read other side's version identification. */

The attachment is the patch that enables sending client banner immediately for version 2, and keep the old behavior for version 1.x, created based on 0.7 branch.

Besides saving a round-trip, another benefit of the patch is it improves libssh penetrability of the firewall. For example, some passive firewall won’t relay TCP SYN request until client begins sending effective packets, so if client keeps waiting server version identification, it will be failed with time out.

Actually, I found this behavior when I was trying to penetrate a firewall through its approved 443 (HTTPS) port, but since HTTPS is a “client speaks first” protocol, so the firewall didn’t relay TCP SYN request, and libssh failed with timeout on this circumstance. But after I changed to use OpenSSH 6.8/6.9/7.1 which send client banner immediately, they were able to connect remote side very fast.

I've tested this patch with OpenSSH_6.6.1p1 and Dropbear 2013.62 servers, both works without problem. OpenSSH and Dropbear are the most used SSH servers, so I think it’s safe to apply this patch.

I didn’t tried testing the patch with libssh server code, but I think it should works since the server also sends its version identification immediately after socket established. Please correct me if I misunderstood the server side behavior of  libssh.

Best,

Yang

Attachment: patch-client-banner.diff
Description: Binary data



Archive administrator: postmaster@lists.cynapses.org