Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Mar 2001 11:54:43 -0800
From:      "Michael A. Dickerson" <mikey@singingtree.com>
To:        "\"Duwde (Fabio V. Dias)\"" <duwde@duwde.com.br>
Cc:        <freebsd-security@freebsd.org>
Subject:   Re: SSHD revelaing too much information.
Message-ID:  <005f01c0b62e$9cab5980$db9497cf@singingtree.com>
References:  <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw>

next in thread | previous in thread | raw e-mail | index | archive | help
Uh, Kris Kennaway was the first to respond to you on -stable, and the first
to disagree that this is a problem.  He *is* the FreeBSD Security Officer.

As others pointed out, it is trivial to determine the OS of a remote host.
As others pointed out, it is extremely useful for the legitimate
administrator of a system to be able to query the version of various
services remotely.  You may even have a legitimate reason to audit the
services on machines you don't have an account on.  Suppose you're
responsible for an academic network, where people can run anything they
want.  But, you still need to be sure that students' machines don't get
rooted, for your own health and welfare.  If everybody strips all the
version information out of their services in the name of "security", you
will be reduced to running the exploits one after another to see if they
work.

Another example: after the recent bind circus, I screwed up one machine so
that it restarted the old bind after a power failure.  I caught it because I
ran an easy "version.bind. chaos txt" query.  If I had to log in to that
machine and do bind --version or the like, I might not have caught it for
weeks (besides which, bind --version would have probably falsely reported
9.x).  Sure, that was my fault, but I know I'm going to screw up sometimes.

Yet another reason that I don't think anyone pointed out--let's say there's
a bug in OpenSSH 2.3.47 that makes it inoperable with some future version of
the ssh client.  NOT a remote exploit, just a bug.  (e.g. the MAC bug in
some commercial versions of ssh.)  If sshd reports its version accurately
upon connection (which by the way is a basic part of the SSH protocol), the
client can activate a workaround when it connects to a broken sshd.  If not,
then it's up to you to guess what the problem is.  This happens a few times,
and you have 2^n possible settings to guess among, where n is the number of
such bugs in various ssh daemons.

I understand the desire not to reveal any more information than is
necessary; that's why we disable finger, daytime, etc.  That's fine when you
only have to manage one or two machines and you can easily remember what's
running at any given time.  In that case there's nothing stopping you from
changing the "version" to whatever you want.  Unfortunately
security-by-obscurity doesn't scale past the 1 or 2 boxes.  If this were a
democracy, I vote with the majority; please *don't* munge the version
reported by sshd.

M.D.

----- Original Message -----
From: ""Duwde (Fabio V. Dias)"" <duwde@duwde.com.br>
Newsgroups: mailing.freebsd.security
Sent: Monday, March 26, 2001 11:15 AM
Subject: SSHD revelaing too much information.


> To the FreeBSD Security Officer & FreeBSD Security List.
> (Please reply, if need, to my email too)
>
> I've already posted this at FreeBSD-stable@freebsd.org but it
> seems some people haven't agreed on this issue, so I'm posting
> this here, as it's security related.
>
> As of 2001/03/22 we have :  (and it's still on 4.x-stable of today,
> 4.3-RC)
>
> --
> bash-2.04$ cat /usr/src/crypto/openssh/version.h
> /* $FreeBSD: src/crypto/openssh/version.h,v 1.1.1.1.2.4 2001/03/22
> 00:30:56 green Exp $ */
> /* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */
>
> #define SSH_VERSION "OpenSSH_2.3.0 green@FreeBSD.org 20010321"
> bash-2.04$
> --
>
> It seems some fixes has been made on OpenSSH 2.3.0 or so, and the string
> "green@FreeBSD.org 20010321" has been added to SSH_VERSION. The problem
> is that this is using on the initial SSHD login procedure :
>
> --
> bash-2.04$ telnet localhost 22
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321
> --
>
> So as SSHD is a daemon USUALLY enable to the whole internet,
> anyone can find out what OS (FreeBSD), and what SSHD *cvsuped"
> version is running. As well as if it has been fixed or NOT.
>
> So targeting attacks to unfixed SSHDs running FreeBSD would be
> made easier, as well as any other attacks in the future, 'cause
> there will be no doubt of what OS the host is running. (plus
> a good idea of its version, using the 20010321 string)
>
> Btw, there is no need to let anyone know if the SSHD is fixed
> or NOT, nor the OS version, and SSHD exact modification date
> by the freebsd team. Is there ?
>
> Please let me know if I'm missing something...
>
> --
> Fabio Vilan Dias / Duwde <duwde@duwde.com.br>
> PGP key @ http://www.duwde.com.br/duwdepgp.asc
> FP = BB35 50F2 7F83 655D  6B11 F0A2 F8E2 FF3D
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005f01c0b62e$9cab5980$db9497cf>