No description, website, or topics provided.
C Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Copyright 2016 Google Inc. All Rights Reserved.


tcpauth allows you to wrap TCP connections in RFC2386 MD5 signatures, to prevent any attacker from talking to a server without first having the shared secret.

This protects against any preauth attacks in the server application itself. You could compare it to port knocking, in that this could let you keep SSH open for connections from all over the world, as long as they know the shared secret. Normal authentication would take place after connection, so it doesn't reduce security.

Another benefit is that when MD5 signatures are turned on an attacker can't spoof RST packets to kill your connection.


If building from git repo:



./configure && make && make install


Example of running an SSH server on port 12345.

On the server:

echo "correct horse battery staple" > pw.txt
chmod 600 pw.txt
sudo ./tcpauth-wrap -p 12345 -P pw.txt -- /usr/sbin/sshd -i

On the client:

echo "correct horse battery staple" > pw.txt
chmod 600 pw.txt
ssh "-oProxyCommand=./tcpauth-client-proxy -P pw.txt %h %p" -p 12345