75 comments

[ 3.4 ms ] story [ 191 ms ] thread
I really like stories like this where somebody was overly curious about something and instead of just reading about it, he takes it apart and puts it back together to gain the kind of knowledge you will never find in a book/blog post.
> takes it apart and puts it back together to gain the kind of knowledge you will never find in a book/blog post.

Interestingly, the author still worked a lot with the docs (RFCs), not just with the software itself.

I believe this is important for any hands-on activity. Even though the documentation isn't your starting point, and may be too cumbersome and badly structured, sooner or later you should go back to them, now with more specific questions, picking out what you need.

I thought it was fairly discouraging that the docs weren't sufficient to get the author up and running with ssh; a lot of seemingly undocumented gotchas popped up.
Yeah, I would hope with a tool as critical as ssh the docs would be pretty good. Hopefully the author will contribute and it will get accepted.
author is a woman.

edit: I guess, depending on how one reads your post, you didn't actually say author is a "he". Too quick on the trigger on my part.

pssst... your gender bias is showing, put that shit away.
He clearly missed typing a s only. Take away your bias please.
Does HN not have a an explicit list of all actions that are unacceptable?! We need to get the TODO Group in on this. Also, so that everybody knows that my opinion is more valid, I am a 1/32 Cherokee left handed 87 year old black woman. On a related note, I demand that you implement trigger warning flag function.
Its so weird that there aren't more women in tech. Amirite? What could possibly be driving them away?!?!
There aren't enough white knights rushing in to save us, and we aren't being treated as equals. Another problem is the cultural racism of future time orientation and emphasizing individualism as opposed to a more collective ideology.
Do you ever wonder where accusing someone of being a white knight sits on the scale between rhetoric and logic? I think its probably something you haven't considered.
I wasn't talking about you, but your deference to logic makes me wonder... Dr Minnich has helpfully informed us that logic and reason are the tools of the racist patriarchy. Maybe you haven't considered your disposition to reach for colonial phallocentric weapons of aggression.
Most students who make it past philosophy 101 can form arguments for or against this position. For the rest, maybe all there is are tired 4chan memes circa 2010.
That is something to think on. Your mind immediately goes to the comedic styling of the dark underbelly of the internet when references are made to the content of an academic paper for the Center for Research on Women - written by one so well respected in the field. If 4chan is having to reach back to 1986 for material... well things are about to get very neon.
It is really interesting that you leap to the conclusion that I’m dismissing the idea that logic can contain bias based on who is practicing it as a 4chan meme. Really, I’m dismissing your clumsy interpretation of literature into a soundbite as a clumsy 4chan meme.

Perhaps it stings too much, and you’ve reacted badly to that line of reasoning. Perhaps stick to the memes?

There is nothing in my prior statement that hints at any sort of conclusion being drawn in regard to your dismissal. Since you are obviously familiar with the literature, because how else would you be able to evaluate my interpretation, it should be easy for you to point out where I've gone wrong. I'll wait here.

Bummer, detached. gg tomlock :)

You posted a bunch of memes rather than any clear opinions.

You’ve claimed that I’m comparing (“your mind goes back to”?) a fundamental aspect of postmodern thought to a 4chan meme, when really I’m comparing your clumsy soundbites to the content of 4chan memes.

You’re now suddenly asking for me to clarify my criticisms of your position when you’ve been deliberately vague.

You’re now demanding an education on contemporary thought.

Wrong. Wrong. Wrong. Wrong.

The only people you aren't alienating with this kind of rhetoric are the ones that already sling it, themselves.
> There aren't enough white knights rushing in to save us

Huh, I can't recall hearing the phrase "white knights" being used by a woman before. I have heard from women (online and in person) be unhappy about men not being supportive of their concerns and be happy about men being allies, especially when the burden of change is on other men. Can you expand on what you mean by this?

I've pretty much never heard the term "white knight" being used by anyone except men who are attempting to shame and bully other men who are being allies into not doing that.

EDIT: Downvoters, you're only making my point for me. How much of my karma do you think you'll have to burn before you've shown me how wrong I am?

>he takes it apart and puts it back together

?

"he" referring to a person who does the sort of work admired, not specifically the author of this work.
It would depend if "he" were gendered, or not. If it is, the relevance of the comment is in question, as the gender does not match.
We detached this subthread from https://news.ycombinator.com/item?id=11608610 and marked it off-topic.
Thanks!

Hint to all who participated in that ugly thread:

The inital comments were bad, but I found it even worse to see how many people engaged this, making that ugly thread larger and larger. It became so large that it finally displaced all the good, on-topic comments!

If you really want to show respect for the author, just downvote + flag the ugly comments, and be done with it. Then, go on and use your time to post something insightful about the author's article.

Should the children of flagged/dead comments be hidden by default as well ?
I like that idea.

Alternatively, such threads could not be hidden completely, but only be reached via a separate link. That way, the discussion would still exist, but would not consume growing space on the original discussion site anymore.

(In addition, it would still serve to bind the people who insist on wasting their time in that corner. On the other hand, that would still be a pity. I assume that some people who wasted their time in that corner would otherwise have engaged in the remaining insightful discussions.)

Meta: the grey text thing which seems to be really popular right now? That's just unreadable. Third time today I inspect-elemented a blog post to turn the text coloring off.

Edit: Finished reading, what a great project! I've looked for something like this before, but ssh documentation never quite contained what I was looking for, let alone providing a simple client to hack with.

Many code snippets look a lot easier than I would expect it to be (e.g. DH KEX looks very simple there), though of course finding out what the correct code is, even if it's brief, takes a lot of effort.

Great writeup and thanks for sharing!

It's very odd to have to depend on a browser feature that is basically for accessibility in order to read a website because the colour choices are bad.
It's weird to me that people want millions of random people controlling how content is visually presented; aka, wish the web would die already.
You can cry creative freedom all you want, the colour choices make it hard for certain people (with visual difficulties) to read the site. Not accepting that and improving the design is basically saying "my creative freedom is more important than people actually reading the website".
Check your monitor gamma and white level using something like this: http://www.lagom.nl/lcd-test/gamma_calibration.php

You might be crushing whites, or just have incorrect gamma.

Many users don't have expensive monitors, so they can't calibrate the monitor successfully. This is a problem when many web designers only test their site on a mac in a nicely lot office.

http://contrastrebellion.com/ !

Thanks for the link! I've seen the site before but never thought of testing my screen when I got my new laptop.

It's very difficult to tell, though. The gamma varies between 1.9 and 2.3 (roughly) depending on the angle at which I look at my screen. Every time I sit this will be different.

Opening the article again, it also depends where I look: when tilting my laptop back a bit, the text appears darker (even black if I tilt it far enough) but the exact shade differs: near the bottom of the page it's still greyish while the top part is indeed almost black.

Looking on my phone, it's a lot better readable than on my laptop, probably because I look at my laptop screen at an angle and my phone's colors don't change if you look from the far top or bottom.

(comment deleted)
The worst color change I recall seeing on a laptop was the background color Google used to use to identify ads (a pale yellow as I recall). On cheaper laptop screens even the slightest tilt would make it white, making the ads indistinguishable from real results.

If you have something like the Nvidia Linux control panel for adjusting colors, lowering the white level and raising the black level can help compensate a bit. The open source Media Player Classic (or MPC-HC maybe) player also has a nice shader to correct for the vertical variation, but I don't know of any way to apply it to the whole OS.

If the author is reading this, I always find it useful to run HTML CodeSniffer [1] to find contrast accessibility violations. It gives you the closest colour that meets the contrast requirements. With a few small colour tweaks, I got the number of WCAG AA violations down from 115 errors to 17 (the remainder are primarily contrast issues with the code blocks).

P.S. Loved the article!

[1] https://squizlabs.github.io/HTML_CodeSniffer/

I really enjoyed reading this, you should add an rss feed to your blog, I couldn't find anything to subscribe to.
Thanks! I'll try to add one later this week, I've been meaning to :)
That would be really great! It's always a pity when this happens:

  - I read a great article.
  - I have a look at the rest of the blog, seeing more interesting articles.
  - I see that the posting frequency is low. [1]
  - I want to add it to my QuiteRSS reader, but there is no Atom/RSS feed.
[1] Which is actually a very good sign! Daily posters are inevitably posting mostly crap, and I'm too tired of such blogs to pick out the cherries. I prefer authors who publish only their cherries in the first place, or at least provide a "cherry-only" feed.
There are several services out there that will create an RSS feed out of any web page. They do this by periodically scraping the page's contents for you. https://feedity.com/ is pretty good; there are others.
>“none” as my compression algorithm.

Next blog post idea: taking apart how zlib works (https://tools.ietf.org/html/rfc1950) and using that as a built-in compression algorithm. Seriously though great article.

Another way to help discover how SSH works is to compile your own openssh server, instrumenting it with your own printfs, and see exactly what it's doing. I did this at one point, and it helped immensely to write a (horrifyingly insecure) homegrown SSH client. It was at least a good learning experience.
The actual code on GitHub:

https://github.com/tetrakai/miscellaneous/tree/master/ssh_cl...

Unfortunately, that was somewhat hidden in a small "here" link near the end of the article.

By the way, I believe to would be preferable to have a separate Git repository for that, rather than putting all mini projects ("miscellaneous code snippets") into a single repository.

It'd be nice to be gender neutral :)
Really?

While talking in a context of a specific post, written by a male?

Yes, because the comment refers to "stories like these", and not only the specific story in question. Also, what makes you think the author is male?
Not to presume which gender OP identifies with, but if you take a look at their GitHub profile, you'd probably come to the conclusion the the writer is not male.

Since the specific context matters to you, would you now suggest the parent of this thread then change the pronoun to "she" instead?

I've misread (english is not my native language) post with ", he takes it apart..." as a fact about author gender and reacted to subsequent comment which I find wrong.

Answering your question: would he, or me, or other poster know the gender of author while writting about author -> we should use proper form. If no prior knowledge is present: it does not matter to me, and I consider it not worth mentioning or correcting.

who cares?
Many do. The author probably does, because it doesn't seem like they'd choose "he" as their pronoun.
It'd be nicer if people could stop derailing interesting threads with their gender politics and pedantry.
You're worried about derailing a thread topic of "I like this post, please upvote me"? If you don't reply to it, it won't derail the thread.
I took it as a suggestion not to assume the author is a male so as not to embarrass yourself when it turns out they aren't, as a bare minimum of investigation would have revealed. Since when is basic politeness "gender politics"?
It's gender politics when you tell me that using 'he' is not gender neutral. Sure, you may think otherwise, but we all have our opinions.
It's interesting that "The transport protocol doesn’t cover who sends their banner first". It'd be good if I could configure my server to keep quiet until the client identifies itself as an SSH client. I run it on an unusual port and it gets scanned frequently. sshguard helps but I'd prefer it wasn't announcing to any client that it is an ssh server.
How does sshguard compare to fail2ban?
I never used fail2ban: sshguard was simply what I came across first and it was easy to setup and worked as advertised. The Arch wiki states: "sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well."
"It'd be good if I could configure my server to keep quiet until the client identifies itself as an SSH client. I run it on an unusual port and it gets scanned frequently."

This is unpopular, but you could implement port knocking.

Now the rest of the world doesn't even see your sshd - on any port. I love the idea and have implemented it everywhere that it's practical.

sshguard is amazing, I routinely install it on any new servers. It comes with the standard Debian and derivatives' repositories.

After installation, simply type:

$ sudo apt-get -y install sshguard

And then edit the whitelist to include your local IP if you want;

$ sudo vim /etc/sshguard/whitelist $ sudo service sshguard restart

"This was a problem, because my initial packets to the server were met with immediate disconnects, and I’d now lost my main means of debugging. I banged my head against the wall for a while, then at the suggestion of a friend, decided to turn the server’s OpenSSH log verbosity way up. I bumped the LogLevel in /etc/ssh/sshd_config to DEBUG3, and suddenly I was getting helpful error messages!"

ssh server can be run with -d option for monitoring. It redirects debug messages to stdout.

/usr/sbin/sshd -d

Nice.

What first revealed me the hidden complexity of SSH was typing this during a live SSH session:

    ~?
Which show you the SSH supported escape sequences.
Note that the actual sequence is 3 characters (newline, tilde, question mark). If you try ~? after anything except a newline, ssh won't intercept it (this is true for all ssh tilde escapes).

Telnet had something similar.

This is of course specifically how to reveal these features in the OpenSSH client. If you're using another client (e.g. PuTTY) there's a different way to get to these features (click the menu).
Well what are the odds of this young lady not being one of them "oh the Tech industry/culture is not welcoming towards women" women? See the difference?
I liked reading the code for this - added a Star too.

* Picking some RFCs and then writing a client/server is fun as a coding exercise.

* I had a go at implementing POP3 and HTTP years ago in a MUD / LPC, but HTTP has been done to death now.

* Documentation is also really really good and I like the self-describing code, but have you thought about adding any unit tests i.e. for the algorithms?