Skip to content
This repository has been archived by the owner on Jan 9, 2023. It is now read-only.

google/tcpauth

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

tcpauth

Copyright 2016 Google Inc. All Rights Reserved.

https://github.com/google/tcpauth

Introduction

tcpauth allows you to wrap TCP connections in RFC2385 MD5 signatures, to prevent any attacker from talking to a server without first having the shared secret.

This protects against any preauth attacks in the server application itself. You could compare it to port knocking, in that this could let you keep SSH open for connections from all over the world, as long as they know the shared secret. Normal authentication would take place after connection, so it doesn't reduce security.

Another benefit is that when MD5 signatures are turned on an attacker can't spoof RST packets to kill your connection.

Installing

If building from git repo:

./boostrap.sh

then

./configure && make && make install

Running

Example of running an SSH server on port 12345.

On the server:

echo "correct horse battery staple" > pw.txt
chmod 600 pw.txt
sudo ./tcpauth-wrap -p 12345 -P pw.txt -- /usr/sbin/sshd -i

On the client:

echo "correct horse battery staple" > pw.txt
chmod 600 pw.txt
ssh "-oProxyCommand=./tcpauth-client-proxy -P pw.txt %h %p" -p 12345 shell.example.com

About

No description, website, or topics provided.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published