Date: Mon, 26 Mar 2001 12:22:51 +1000 From: Mark.Andrews@nominum.com To: freebsd-stable@freebsd.org Subject: Re: sshd revealing too much stuff. Message-ID: <200103260222.f2Q2MpT10302@drugs.dv.isc.org> In-Reply-To: Your message of "Sun, 25 Mar 2001 04:34:24 EST." <20010325043424.B19617@pir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Kris Kennaway <kris@obsecurity.org> probably said: > > Making it easy for the _administrator_ to get information that is > > useful for administration is a good thing. > > This can be done without providing the same information to an > attacker. > > > Think about the audit for vulnerable versions of SSH using > > e.g. scanssh. How is the administrator to differentiate between the > > standard, vulnerable, version of OpenSSH 2.3.0 and the fixed, > > non-vulnerable version included in FreeBSD 4.2-STABLE unless it > > reports itself differently? > > It's running ssh, it's accessable from the network. Put the changed > version string in ssh --version or similar and connect to the machine > to check it. Information does not have to be available to an attacker. > You obviously have not needed to deal with security in a large corporate environment spread over semi-automonous administative relms. Just telling people to upgrade does not alway work. You need to go out and verify that they have done this. Logging onto each and every box is not a solution that scales. Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103260222.f2Q2MpT10302>