On Sep 12, 2008, at 7:02 AM, Kevin Neff wrote:
Thanks for all the comments. I think we're all pretty much on the
same
page.
First order of business is to look at how much of a weakness this
may be.
Then, implement several potential solutions. Finally, test to see
if the
"fixes" improved the situation.
Sorry, I'm finally at my real mail client. It's not a "real"
vulnerability, imho. Merely a way to time and attack the individual
keystrokes. I suspect you could ID individual users, if not figure out
passwords, etc.
If you're that concerned about your ssh session, multiplex the tunnel
and have an expect script randomly execute remote commands through it.
Your interactive shell will be the "real" session, with expect
throwing interactive "noise." No real additional setup required, just
using multiplexed tunneling in ssh(1)
