From owner-freebsd-security  Tue Mar 27 11:24:34 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40])
	by hub.freebsd.org (Postfix) with ESMTP id 4DF6237B71A
	for <freebsd-security@FreeBSD.ORG>; Tue, 27 Mar 2001 11:24:32 -0800 (PST)
	(envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id OAA27920;
	Tue, 27 Mar 2001 14:24:19 -0500
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p05010401b6e69736109f@[128.113.24.47]>
In-Reply-To: <20010327220940N.matusita@jp.FreeBSD.org>
References: <p05010404b6e5bb325d3c@[128.113.24.47]>
 <p05010404b6e5bb325d3c@[128.113.24.47]>
 <20010327005503.J5425@rfx-216-196-73-168.users.reflex>
 <20010327220940N.matusita@jp.FreeBSD.org>
Date: Tue, 27 Mar 2001 14:24:18 -0500
To: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>,
	freebsd-security@FreeBSD.ORG
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: SSHD revelaing too much information.
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 10:09 PM +0900 3/27/01, Makoto MATSUSHITA wrote:
>It is natual that the first word of version string is for and only for
>OpenSSH implementation and/or the ssh protocol itself (I dunno it's
>true or not), and rest of version strings are for identifying the
>OpenSSH variants (note that our ssh implementation is *not* just a
>security-fixed OpenSSH 2.3.0, but have features which does not exist
>in the original OpenSSH by OpenBSD).

Hrm.  I didn't realize this.  Are those extra features something
which needs to be known early in the option-negotiation process?

Hmm.  If so, then the presence of *those options* should be in
the version string, even though the extra-precise version info
does not need to be there.  Ie, have the version-response be:

    OpenSSH_2.3.0 +coolOpt1+coolOpt2

and some later line (perhaps only in -v output) include things
like who compiled ssh and exactly which versions-of-source it
was compiled from.

That way, if the ssh of some other development group likes one
of our options, they can add it without having to claim they
are our version of ssh.
-- 
Garance Alistair Drosehn            =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message