[Cryptography] SSH vulnerability when using passwords

[John Gilmore]

A friend pointed me to this page:

  https://stribika.github.io/2015/01/04/secure-secure-shell.html

But neither that nor the ssh wikipedia page mention an SSH
vulnerability that lets an attacker guess the letters of a remote
login password used under SSH.  I remember this attack being mentioned
years ago, perhaps in a crypto conference rump session?

The attack works when you don't use keys or shared secrets -- just the
usual login/password processing standard for the remote end's
operating system.  This is by far the simplest way to use SSH -- it
requires no public keys, no private keys, no one-time pads.  All it
requires is that you can remember your login name and password, which
everyone is already used to.  It lets you log in to a remote system
from *anywhere* that has a copy of ssh, without bringing any keying
material along.

The problem is that the ssh protocol sends each letter of the password
as an entire packet of encrypted stuff -- but there are only a small
number of possible letters that might have been typed.  So the entropy
in each of those early ssh packets is very low.  The attack makes
guesses about which letters you might have picked, is able to
eliminate many of the guesses by showing that the crypto would have
produced something different in that case, relies partly based on the
inter-letter timing as I recall, and recovers passwords or partial
passwords a significant fraction of the time.  Then, of course, those
passwords are extremely useful in breaking into the remote system at
any time afterward.  Which is why NSA would store them for later use.

Where is this attack written up in detail?  And how is it best
defended against?

	John