Date: Thu, 16 Sep 2021 17:27:10 -0400 From: Ed Maste <emaste@freebsd.org> To: Ronald Klop <ronald-lists@klop.ws> Cc: src-committers <src-committers@freebsd.org>, "<dev-commits-src-all@freebsd.org>" <dev-commits-src-all@freebsd.org>, dev-commits-src-main@freebsd.org Subject: Re: git: b0025f9b7ff0 - main - openssh: update default version addendum in man pages Message-ID: <CAPyFy2BDY6U1NzPNuZm-CzsyXx-jyhGkk28%2Bk789Q2LGM=22SA@mail.gmail.com> In-Reply-To: <d53da9bb-c59b-1604-6e88-899e06f31df9@klop.ws> References: <202109041534.184FYq6n093346@gitrepo.freebsd.org> <d53da9bb-c59b-1604-6e88-899e06f31df9@klop.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 5 Sept 2021 at 12:26, Ronald Klop <ronald-lists@klop.ws> wrote: > > I'm wondering why the FreeBSD project adds this information to the banner by default. I learned that not exposing information about the running system is good security practice. > Any thoughts about this? What is the gain of this banner? Like many things it's a tradeoff. Adding the version to sshd's banner provides an easy way for an administrator to confirm that an update has been applied (assuming that the version is updated). Conversely, it's even easier (for an attacker) to connect and just attempt some misbehaviour than it would be to check this version string first. We introduced the VersionAddendum here: commit 933ca70f8f888b7fc1b06213198ba15ca346aeca Author: Brian Feldman <green@FreeBSD.org> Date: Thu May 3 00:29:28 2001 +0000 Add a "VersionAddendum" configuration setting for sshd which allows anyone to easily change the part of the OpenSSH version after the main version number. The FreeBSD-specific version banner could be disabled that way, for example: # Call ourselves plain OpenSSH VersionAddendum Notes: svn path=/head/; revision=76227 Upstream adopted it here: commit 23528816dc10165b3bc009f2ab5fdf1653db418c Author: Damien Miller <djm@mindrot.org> Date: Sun Apr 22 11:24:43 2012 +1000 - djm@cvs.openbsd.org 2012/04/12 02:42:32 [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@ Now, we support it for both the client and server while upstream supports it for the server only. I suspect there isn't a lot of value in the client-side support, and am considering removing it to reduce the differences between our in-tree ssh and upstream, and ease future OpenSSH updates.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2BDY6U1NzPNuZm-CzsyXx-jyhGkk28%2Bk789Q2LGM=22SA>