https://undeadly.org/cgi?action=article;sid=20230829051257 Front page [ ] [Search site] OpenBSD Journal Home Archives About Submit Story Create Account Login Keystroke timing obfuscation added to ssh(1) Contributed by rueda on 2023-08-28 from the sigint-- dept. Damien Miller (djm@) has committed support for keystroke timing obfuscation to ssh(1): CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2023/08/27 21:31:16 Modified files: usr.bin/ssh : clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h ssh_config.5 Log message: Add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/ feedback/ok markus@ This utilises a pair of new extensions to the SSH protocol: CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2023/08/27 21:28:43 Modified files: usr.bin/ssh : PROTOCOL kex.c kex.h packet.c ssh2.h Log message: Introduce a transport-level ping facility This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". ok markus@ Yet another fine example of security by trickery, and one more reason to look forward to the next OpenBSD release. Other systems will likely see this soon after via openssh-portable. Reply --------------------------------------------------------------------- Comments 1. By Amit Kulkarni (amitkulz) on 2023-08-29 17:25 Woooot. The first in practical security solutions. Reply Latest Articles * Tue, Aug 29 + 05:12 Keystroke timing obfuscation added to ssh(1) (1) * Thu, Aug 10 + 10:45 OpenSSH 9.4 released! (0) * Mon, Aug 07 + 09:43 New routed IPsec VPN mode committed (0) * Sun, Jul 30 + 11:07 rpki-client 8.5 released (0) * Mon, Jul 24 + 22:40 Theo de Raadt on Zenbleed (0) * Sun, Jul 23 + 18:58 AMD processor microcode support added to -current (2) * Thu, Jul 20 + 12:37 Game of Trees 0.91 released (0) * Wed, Jul 19 + 18:04 OpenSSH 9.3p2 released (3) * Fri, Jul 14 + 12:19 Mandatory enforcement of indirect branch targets (0) Credits Copyright (c) 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]