This is the first post in a series where I read through man ssh_config and write about things I find interesting. Most of us only open man pages to look up a specific flag and close them immediately. I want to break that habit by actually reading through the pages and writing about what I find, so the knowledge sticks.
Today's find: ObscureKeystrokeTiming.
Since OpenSSH 9.5 (released late 2023), the SSH client has been doing something interesting by default. Every time you type in an interactive session, ssh quantizes your keystrokes to fixed intervals (20ms by default) and sends fake "chaff" packets after you stop typing. The goal is to make it harder for a passive network observer to perform keystroke timing analysis on your session.
Keystroke timing attacks are real. The time between your keypresses leaks information about what you're typing. Different letter pairs have characteristic timing patterns. Researchers have shown that this metadata alone can be used to infer passwords and commands. OpenSSH's response was to add this option, enabled by default, that pads your keystrokes into a regular rhythm and throws in decoy packets to muddy the signal.
From the man page:
ObscureKeystrokeTiming
Specifies whether ssh(1) should try to obscure inter-keystroke
timings from passive observers of network traffic. If enabled,
then for interactive sessions, ssh(1) will send keystrokes at
fixed intervals of a few tens of milliseconds and will send
fake keystroke packets for some time after typing ceases.
The argument to this keyword must be yes, no or an interval
specifier of the form interval:milliseconds (e.g. interval:80
for 80 milliseconds). The default is to obscure keystrokes
using a 20ms packet interval. Note that smaller intervals will
result in higher fake keystroke packet rates.
There are two things worth knowing here. First, you can tune the interval. The default 20ms works fine for most people, but interval:80 would reduce the fake packet rate at the cost of coarser timing granularity. Second, and more practically relevant: if you use X11 forwarding, this feature can cause noticeable lag. If you've upgraded OpenSSH recently and your remote GUI apps feel slow, this might be why.
OpenSSH 10.0 (April 2025) improved this: the client now avoids starting the keystroke obfuscation if there has been recent traffic on an X11 forwarding channel. But if you're on an older version, you can disable it per-host:
Host myserver
ObscureKeystrokeTiming no
Or globally if you prefer:
Host *
ObscureKeystrokeTiming no
Worth noting: the feature had a bug in OpenSSH 9.5 through 9.7 where it actually worked in reverse of what was intended, making the real keystrokes distinguishable from the chaff. A researcher demonstrated that the real keystroke packets were slightly larger than the fake ones, making them trivially identifiable with packet capture. This was fixed in 9.8, but it's a good reminder that security features can have subtle implementation issues.
The broader takeaway is that your SSH client is doing more than just encrypting your traffic. It's actively trying to hide your typing patterns from anyone watching the wire. Whether you keep it on or off depends on your threat model, but either way it's good to know it's there.