Copyright 2016 Google Inc. All Rights Reserved.
https://github.com/google/tcpauth
tcpauth allows you to wrap TCP connections in RFC2385 MD5 signatures, to prevent any attacker from talking to a server without first having the shared secret.
This protects against any preauth attacks in the server application itself. You could compare it to port knocking, in that this could let you keep SSH open for connections from all over the world, as long as they know the shared secret. Normal authentication would take place after connection, so it doesn't reduce security.
Another benefit is that when MD5 signatures are turned on an attacker can't spoof RST packets to kill your connection.
If building from git repo:
./boostrap.sh
then
./configure && make && make install
Example of running an SSH server on port 12345.
On the server:
echo "correct horse battery staple" > pw.txt
chmod 600 pw.txt
sudo ./tcpauth-wrap -p 12345 -P pw.txt -- /usr/sbin/sshd -i
On the client:
echo "correct horse battery staple" > pw.txt
chmod 600 pw.txt
ssh "-oProxyCommand=./tcpauth-client-proxy -P pw.txt %h %p" -p 12345 shell.example.com