Are SSH protocol headers sent in the clear over a client-server connection?

I know routing information is always sent in the clear (oversimplification, but bear with me) so in a scenario where there exists an SSH tunnel between a client and a server using non-standard ports, and the tunnel is encrypted using a secure key exchange with shared secret, is it possible to discern that the traffic itself is SSH? (EG: Is the layer 3 header information in the clear?)

Also, are there other ways to know that this traffic is SSH?

Thanks.

TL;DR: How can you determine an SSH packet is SSH?

gal

Posted 2012-12-04T06:31:31.290

Reputation: 131

Answers

The traffic itself is encrypted by SSL, so it's hard to see the difference compared to other SSL protocols (HTTPS. OpenVPN, etc.).

But, if the attacker captures the whole communication, it also gets the handshake, from which he can clearly see it's SSH. He also sees the ssh clients and hosts IP (tunnel endpoints) and ports used by them. He cannot see the traffic through the tunnel.

SSH handshake

mulaz

Posted 2012-12-04T06:31:31.290

Reputation: 546

What application is that a screenshot of? – gal – 2012-12-05T04:25:40.330

That is wireshark (http://www.wireshark.org/) - it can capture and/or analyze network traffic

– mulaz – 2012-12-05T10:53:44.123

My understanding is that once the tunnel is established, the traffic above layer 4 will be gibberish. So if you're on a non-standard port, it would be hard, if not impossible to discern between any encrypted traffic. I.e. you wouldn't be able to tell between SSH, SSL, or other encryption methods. I'm happy to be corrected if that's wrong though.

peelman

Posted 2012-12-04T06:31:31.290

Reputation: 4 580

If the attacker has access to the entire TCP session, they will have sufficient clues to know that the transport protocol is ssh. Try to telnet to port 22 on a server you know is running ssh on a standard port to see how.

If the attacker does traffic analysis, he or she will quite possibly be able to distinguish ssh terminal traffic from ssh port forwarding traffic (though not able to identify the contents directly). Basically, typing does not look like downloading HTML, downloading, or transferring data at any speed / with little latency.

If the attacker has access to all of the network traffic for one of the endpoints, he or she will quite possibly be able to identify what specific fraction of the traffic passing through that endpoint also passed through the tunnel... but you've already lost a lot by that point; not much privacy to preserve.

There isn't really that much information in the clear though. I doubt there is a serious risk here, but without knowing your concerns, it is hard to address them.

Slartibartfast

Posted 2012-12-04T06:31:31.290

Reputation: 6 899