From owner-freebsd-security  Tue Mar 27 11: 8:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5D80137B71B; Tue, 27 Mar 2001 11:08:26 -0800 (PST)
	(envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA77104;
	Tue, 27 Mar 2001 14:08:19 -0500
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p05010407b6e693b73e7c@[128.113.24.47]>
In-Reply-To: <20010327005503.J5425@rfx-216-196-73-168.users.reflex>
References: <Pine.NEB.3.96L.1010326205118.81313D-100000@fledge.watson.org>
 <p05010404b6e5bb325d3c@[128.113.24.47]>
 <20010327005503.J5425@rfx-216-196-73-168.users.reflex>
Date: Tue, 27 Mar 2001 14:08:17 -0500
To: cjclark@alum.mit.edu
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: SSHD revelaing too much information.
Cc: Robert Watson <rwatson@FreeBSD.ORG>,
	Kris Kennaway <kris@obsecurity.org>,
	Nate Williams <nate@yogotech.com>,
	"Michael A. Dickerson" <mikey@singingtree.com>,
	"Duwde (Fabio V. Dias)" <duwde@duwde.com.br>,
	freebsd-security@FreeBSD.ORG
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 12:55 AM -0800 3/27/01, Crist J. Clark wrote:
>On Mon, Mar 26, 2001, Garance A Drosihn wrote:
>
>>  One thing I was wondering is if the version information could be
>>  delayed until the user has successfully authenticated to some user
>>  on the destination host.
>
>SSH needs to know the version before it can negotiate the
>authentication. Read the draft. Passing the version number in
>plaintext at the start of the connection is not feasible to
>workaround and does not really get you much.
>
>This whole thread is about if for this version string,
>
>   OpenSSH_2.3.0 green@FreeBSD.org 20010321
>
>The 'green@FreeBSD.org 20010321' is too much information. The
>'OpenSSH_2.3.0' part is required for the protocol.

My apologies, I worded that really stupidly.  At the very
least, there should have been an 'extra' in what I said...

My thought was that the EXTRA version information would be
displayed after authentication was complete.  Ie, send the
'OpenSSH_2.3.0' part where the protocol needs it, and send
the 'green@FreeBSD.org 20010321' part (perhaps with even
more details) in the output of '-v'.  I've been doing a
lot of 'ssh -v'-ing lately, as I set up some new hosts,
so this seemed an obvious way to make the info available.
The EXTRA info, I mean...  :-)

The idea would be to give administrators the ability to
easily determine the precise version info, without giving
"unknown outsiders" (ie, unauthenticated connections)
that information.
-- 
Garance Alistair Drosehn            =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message