From owner-freebsd-stable Sun Mar 25 18:23: 0 2001 Delivered-To: freebsd-stable@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 8ABCE37B718 for ; Sun, 25 Mar 2001 18:22:54 -0800 (PST) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f2Q2MpT10302 for ; Mon, 26 Mar 2001 12:22:52 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200103260222.f2Q2MpT10302@drugs.dv.isc.org> To: freebsd-stable@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: sshd revealing too much stuff. In-reply-to: Your message of "Sun, 25 Mar 2001 04:34:24 EST." <20010325043424.B19617@pir.net> Date: Mon, 26 Mar 2001 12:22:51 +1000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Kris Kennaway probably said: > > Making it easy for the _administrator_ to get information that is > > useful for administration is a good thing. > > This can be done without providing the same information to an > attacker. > > > Think about the audit for vulnerable versions of SSH using > > e.g. scanssh. How is the administrator to differentiate between the > > standard, vulnerable, version of OpenSSH 2.3.0 and the fixed, > > non-vulnerable version included in FreeBSD 4.2-STABLE unless it > > reports itself differently? > > It's running ssh, it's accessable from the network. Put the changed > version string in ssh --version or similar and connect to the machine > to check it. Information does not have to be available to an attacker. > You obviously have not needed to deal with security in a large corporate environment spread over semi-automonous administative relms. Just telling people to upgrade does not alway work. You need to go out and verify that they have done this. Logging onto each and every box is not a solution that scales. Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message