From owner-dev-commits-src-all@freebsd.org Thu Sep 16 21:28:12 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 62AF16A8CE5; Thu, 16 Sep 2021 21:28:12 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f175.google.com (mail-il1-f175.google.com [209.85.166.175]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H9VYl42zGz3Pr0; Thu, 16 Sep 2021 21:28:11 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f175.google.com with SMTP id v16so8104717ilg.3; Thu, 16 Sep 2021 14:28:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=op7krweaH0Zdt00wAwpxsQgcePf2ZWjqFPLovd4Ut8U=; b=73eevLW5GHdnFy7HNfsihFoTIsuIVtdLVkHBV16ntuisTBsJsKjzXZIiV5GIWIn4Fy WCcKuwmzWsoPbBdDgv0QaGBtH/bI9Ay8hlWRbKsXKhPitplnmXp4gNmj6GYcr9mXSVdc fVhe4NkSDgSBf6BSl794fbjef0xnc5cLtsN9jusLB3StgyKguDvMdEt/tUwdlvtiQpiJ XKg/Jw80F6e+7F9D+/0+UWrPYQ7iuMdXY1TaiSivWp/Sy3KPfHvp+hRtmUjRuB45tw1P iqAvPBjdcTqjOQCZ/apTVU7J67MixKP2EfU8Kp0yHTPypJlSpxggVQE6j4ycnyAdUWk9 4/Og== X-Gm-Message-State: AOAM5310mQR0ruhopmtTRjEAXpCEkfzqJWVPQCXYNGCOiTWBd8HHmXsx j6+w6lIKz6A558vmUShcCgUHqmPWEwAXf7Es8DnSknR1yOw= X-Google-Smtp-Source: ABdhPJwKDjR956Y5mT7BJVN6QU6lGbsn3AZmOMu0ofW80vEPAUh9LTXTsgjPDnWY44SgxHRSHBclwF6eT08IYhUVTOo= X-Received: by 2002:a92:7302:: with SMTP id o2mr5490994ilc.44.1631827685036; Thu, 16 Sep 2021 14:28:05 -0700 (PDT) MIME-Version: 1.0 References: <202109041534.184FYq6n093346@gitrepo.freebsd.org> In-Reply-To: From: Ed Maste Date: Thu, 16 Sep 2021 17:27:10 -0400 Message-ID: Subject: Re: git: b0025f9b7ff0 - main - openssh: update default version addendum in man pages To: Ronald Klop Cc: src-committers , "" , dev-commits-src-main@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4H9VYl42zGz3Pr0 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.175 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-2.98 / 15.00]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RCVD_TLS_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.982]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.175:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.175:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; MAILMAN_DEST(0.00)[dev-commits-src-all,dev-commits-src-main]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Sep 2021 21:28:12 -0000 On Sun, 5 Sept 2021 at 12:26, Ronald Klop wrote: > > I'm wondering why the FreeBSD project adds this information to the banner by default. I learned that not exposing information about the running system is good security practice. > Any thoughts about this? What is the gain of this banner? Like many things it's a tradeoff. Adding the version to sshd's banner provides an easy way for an administrator to confirm that an update has been applied (assuming that the version is updated). Conversely, it's even easier (for an attacker) to connect and just attempt some misbehaviour than it would be to check this version string first. We introduced the VersionAddendum here: commit 933ca70f8f888b7fc1b06213198ba15ca346aeca Author: Brian Feldman Date: Thu May 3 00:29:28 2001 +0000 Add a "VersionAddendum" configuration setting for sshd which allows anyone to easily change the part of the OpenSSH version after the main version number. The FreeBSD-specific version banner could be disabled that way, for example: # Call ourselves plain OpenSSH VersionAddendum Notes: svn path=/head/; revision=76227 Upstream adopted it here: commit 23528816dc10165b3bc009f2ab5fdf1653db418c Author: Damien Miller Date: Sun Apr 22 11:24:43 2012 +1000 - djm@cvs.openbsd.org 2012/04/12 02:42:32 [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@ Now, we support it for both the client and server while upstream supports it for the server only. I suspect there isn't a lot of value in the client-side support, and am considering removing it to reduce the differences between our in-tree ssh and upstream, and ease future OpenSSH updates.