[vgb2k18]

SSH protocol version exchange is before key exchange. Is this not easily identified in both Clint and server side packet analysis?

I appreciate that SSH can be obsfucated via an SSL tunnel but the article didn't come at that angle.

The article itself even states: >with SSH everything goes dark right after the initial capabilities exchange.

So... What say about before the exchange?

[meithecatte]

They want to consider normal connections legitimate, and only detect tunnels.

[vgb2k18]

Forgive me, my grok ability is low right now. I read the section about detecting TTY traffic, and in my mind, TTY traffic would be an example of a legit normal connection. Engineer accessing the system, etc.

[cwillu]

I routinely use both forward and reverse tunnels in my day-to-day ssh use.