Attackers set up fake SSH servers, targeting users to unknowingly enter their corporate credentials. Traditionally, SSH security is thought from a server perspective. Did you know you can prevent this attack on the client side with a simple configuration change that almost nobody is aware of?

Five quarters after the Terrapin vulnerability disclosure and first patches of the Strict Kex extension to the SSH protocol, it is time to take a snapshot of the adoption process in the Internet and explore what has worked well and where more work is still to be done.

Without signing, Git Commit impersonation is trivially simple. It causes great confusion and can hurt your reputation. Git signing is simple but not well known across developers and repo owners. Learn how to sign your Git Commits and how to protect your repos in a few effective steps.

This is the start of a new series looking at the SSH protocol and the SSH applications; we want to share knowledge we gained during the SSH Gateway development. Part 1 is about the SSH core protocol and SSH remote commands. A preview of the upcoming SSH applications is listed as well.

The second part focuses on SSH Remote Shell as the most known SSH application. Unfortunately, there is no formal protocol defining a structured way to exchange commands and responses between client and server. A challenge for SSH security Gateways.

The third part dives into the SCP protocol: one of the most used but least documented protocols in Internet history. While it became legacy, it is still mandatory for an SSH security gateway to support it. We will unfold its message structure and reflect on where policy can be enforced.

SFTP is the protocol that is nowadays used by pretty much all non-web file transfer programs. There are solid protocol specs for SFTP although no final RFC. Let's look into examples of SFTP message flows and the opportunities and challenges for a security gateway to filter those flows.

To reliably inspect and filter Git traffic over SSH, a gateway must understand both the pkt-line-based protocol framing and the binary structures of Git packfiles including compressed data transmission, deltas and different variable-length encodings.

This article explores how SSH tunnels work, including forward and reverse TCP tunneling, and outlines the security implications and policy controls needed when managing SSH tunnels through a security gateway.