Mailing List Archive

[SUSPECTED SPAM] Re: [SUSPECTED SPAM] Filtering incoming connections on the basis of the ID string
My motivation is to allow connections from specific clients, no matter
where they are. For example, a laptop that belongs to somebody I know,
which could be trying to connect from some arbitrary IP address. They would
still have to authenticate themselves, of course. I just want to summarily
reject everybody else.

On Sun, May 30, 2021 at 7:07 PM Damien Miller <djm@mindrot.org> wrote:

> On Sun, 30 May 2021, Luveh Keraph wrote:
>
> > I would be interested to filter incoming connections depending on the
> exact
> > nature of the ID string supplied by the customer. RFC 4253 specifies
> that
> > that ID string should conform to the following structure:
> >
> > SSH-protoversion-softwareversion SP comments CR LF
> >
> > I would like to be able to selectively allow incoming connections to
> > proceed (or terminate them there and then) when the value of
> > softwareversion (or even comments) matches some predetermined pattern. Is
> > this something that OpenSSH servers can do?
>
> No, but it probably wouldn't be too hard to implement a "Match
> clientversion"
>
> What would be the purpose of this filtering? If you're considering it to
> block password guessers, and such filtering becomes popular, then they
> are highly likely to change their version strings.
>
> IMO it's generally better to disallow password authentication, except from
> trusted sources.
>
> -d
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev