[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Patch: for SSH 2.0, send client banner immediately and save a round-trip
[Thread Prev] | [Thread Next]
- Subject: Patch: for SSH 2.0, send client banner immediately and save a round-trip
- From: Yang Yubo <yang@xxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 14 Oct 2015 15:07:00 +0800
- To: libssh@xxxxxxxxxx
Hello everyone, The SSH protocol version 2 standards allow client banner send immediately, no need to wait server responses its version identification first:
And this is also the default behavior after OpenSSH 6.2 client: * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) now immediately sends its SSH protocol banner to the server without waiting to receive the server's banner, saving time when connecting. Following code was abstracted from OpenSSH 6.9, in function ssh_exchange_identification /* * If we are SSH2-only then we can send the banner immediately and * save a round-trip. */ if (options.protocol == SSH_PROTO_2) { enable_compat20(); send_client_banner(connection_out, 0); client_banner_sent = 1; } /* Read other side's version identification. */ The attachment is the patch that enables sending client banner immediately for version 2, and keep the old behavior for version 1.x, created based on 0.7 branch. Besides saving a round-trip, another benefit of the patch is it improves libssh penetrability of the firewall. For example, some passive firewall won’t relay TCP SYN request until client begins sending effective packets, so if client keeps waiting server version identification, it will be failed with time out. Actually, I found this behavior when I was trying to penetrate a firewall through its approved 443 (HTTPS) port, but since HTTPS is a “client speaks first” protocol, so the firewall didn’t relay TCP SYN request, and libssh failed with timeout on this circumstance. But after I changed to use OpenSSH 6.8/6.9/7.1 which send client banner immediately, they were able to connect remote side very fast. I've tested this patch with OpenSSH_6.6.1p1 and Dropbear 2013.62 servers, both works without problem. OpenSSH and Dropbear are the most used SSH servers, so I think it’s safe to apply this patch. I didn’t tried testing the patch with libssh server code, but I think it should works since the server also sends its version identification immediately after socket established. Please correct me if I misunderstood the server side behavior of libssh. Best, Yang |
Attachment:
patch-client-banner.diff
Description: Binary data
Re: Patch: for SSH 2.0, send client banner immediately and save a round-trip | Yang Yubo <yang@xxxxxxxxxxxx> |
Re: Patch: for SSH 2.0, send client banner immediately and save a round-trip | Andreas Schneider <asn@xxxxxxxxxxxxxx> |