Date: Tue, 27 Mar 2001 14:08:17 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: cjclark@alum.mit.edu Cc: Robert Watson <rwatson@FreeBSD.ORG>, Kris Kennaway <kris@obsecurity.org>, Nate Williams <nate@yogotech.com>, "Michael A. Dickerson" <mikey@singingtree.com>, "Duwde (Fabio V. Dias)" <duwde@duwde.com.br>, freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <p05010407b6e693b73e7c@[128.113.24.47]> In-Reply-To: <20010327005503.J5425@rfx-216-196-73-168.users.reflex> References: <Pine.NEB.3.96L.1010326205118.81313D-100000@fledge.watson.org> <p05010404b6e5bb325d3c@[128.113.24.47]> <20010327005503.J5425@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:55 AM -0800 3/27/01, Crist J. Clark wrote: >On Mon, Mar 26, 2001, Garance A Drosihn wrote: > >> One thing I was wondering is if the version information could be >> delayed until the user has successfully authenticated to some user >> on the destination host. > >SSH needs to know the version before it can negotiate the >authentication. Read the draft. Passing the version number in >plaintext at the start of the connection is not feasible to >workaround and does not really get you much. > >This whole thread is about if for this version string, > > OpenSSH_2.3.0 green@FreeBSD.org 20010321 > >The 'green@FreeBSD.org 20010321' is too much information. The >'OpenSSH_2.3.0' part is required for the protocol. My apologies, I worded that really stupidly. At the very least, there should have been an 'extra' in what I said... My thought was that the EXTRA version information would be displayed after authentication was complete. Ie, send the 'OpenSSH_2.3.0' part where the protocol needs it, and send the 'green@FreeBSD.org 20010321' part (perhaps with even more details) in the output of '-v'. I've been doing a lot of 'ssh -v'-ing lately, as I set up some new hosts, so this seemed an obvious way to make the info available. The EXTRA info, I mean... :-) The idea would be to give administrators the ability to easily determine the precise version info, without giving "unknown outsiders" (ie, unauthenticated connections) that information. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05010407b6e693b73e7c>