Date: Tue, 27 Mar 2001 14:24:18 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>, freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <p05010401b6e69736109f@[128.113.24.47]> In-Reply-To: <20010327220940N.matusita@jp.FreeBSD.org> References: <p05010404b6e5bb325d3c@[128.113.24.47]> <p05010404b6e5bb325d3c@[128.113.24.47]> <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <20010327220940N.matusita@jp.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:09 PM +0900 3/27/01, Makoto MATSUSHITA wrote:
>It is natual that the first word of version string is for and only for
>OpenSSH implementation and/or the ssh protocol itself (I dunno it's
>true or not), and rest of version strings are for identifying the
>OpenSSH variants (note that our ssh implementation is *not* just a
>security-fixed OpenSSH 2.3.0, but have features which does not exist
>in the original OpenSSH by OpenBSD).
Hrm. I didn't realize this. Are those extra features something
which needs to be known early in the option-negotiation process?
Hmm. If so, then the presence of *those options* should be in
the version string, even though the extra-precise version info
does not need to be there. Ie, have the version-response be:
OpenSSH_2.3.0 +coolOpt1+coolOpt2
and some later line (perhaps only in -v output) include things
like who compiled ssh and exactly which versions-of-source it
was compiled from.
That way, if the ssh of some other development group likes one
of our options, they can add it without having to claim they
are our version of ssh.
--
Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu
Senior Systems Programmer or gad@freebsd.org
Rensselaer Polytechnic Institute or drosih@rpi.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05010401b6e69736109f>