From owner-freebsd-security Mon Mar 26 11:57: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from tahoe.cinenet.net (ns1.cinenet.net [198.147.76.65]) by hub.freebsd.org (Postfix) with ESMTP id 00CC037B718 for ; Mon, 26 Mar 2001 11:57:03 -0800 (PST) (envelope-from mikey@singingtree.com) Received: from ember (pool.207.151.148.219.cinenet.net [207.151.148.219]) by tahoe.cinenet.net (8.9.3/8.9.3) with SMTP id LAA12051; Mon, 26 Mar 2001 11:56:47 -0800 (PST) Message-ID: <005f01c0b62e$9cab5980$db9497cf@singingtree.com> From: "Michael A. Dickerson" To: "\"Duwde (Fabio V. Dias)\"" Cc: References: <99o4ge$1h7n$1@FreeBSD.csie.NCTU.edu.tw> Subject: Re: SSHD revelaing too much information. Date: Mon, 26 Mar 2001 11:54:43 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh, Kris Kennaway was the first to respond to you on -stable, and the first to disagree that this is a problem. He *is* the FreeBSD Security Officer. As others pointed out, it is trivial to determine the OS of a remote host. As others pointed out, it is extremely useful for the legitimate administrator of a system to be able to query the version of various services remotely. You may even have a legitimate reason to audit the services on machines you don't have an account on. Suppose you're responsible for an academic network, where people can run anything they want. But, you still need to be sure that students' machines don't get rooted, for your own health and welfare. If everybody strips all the version information out of their services in the name of "security", you will be reduced to running the exploits one after another to see if they work. Another example: after the recent bind circus, I screwed up one machine so that it restarted the old bind after a power failure. I caught it because I ran an easy "version.bind. chaos txt" query. If I had to log in to that machine and do bind --version or the like, I might not have caught it for weeks (besides which, bind --version would have probably falsely reported 9.x). Sure, that was my fault, but I know I'm going to screw up sometimes. Yet another reason that I don't think anyone pointed out--let's say there's a bug in OpenSSH 2.3.47 that makes it inoperable with some future version of the ssh client. NOT a remote exploit, just a bug. (e.g. the MAC bug in some commercial versions of ssh.) If sshd reports its version accurately upon connection (which by the way is a basic part of the SSH protocol), the client can activate a workaround when it connects to a broken sshd. If not, then it's up to you to guess what the problem is. This happens a few times, and you have 2^n possible settings to guess among, where n is the number of such bugs in various ssh daemons. I understand the desire not to reveal any more information than is necessary; that's why we disable finger, daytime, etc. That's fine when you only have to manage one or two machines and you can easily remember what's running at any given time. In that case there's nothing stopping you from changing the "version" to whatever you want. Unfortunately security-by-obscurity doesn't scale past the 1 or 2 boxes. If this were a democracy, I vote with the majority; please *don't* munge the version reported by sshd. M.D. ----- Original Message ----- From: ""Duwde (Fabio V. Dias)"" Newsgroups: mailing.freebsd.security Sent: Monday, March 26, 2001 11:15 AM Subject: SSHD revelaing too much information. > To the FreeBSD Security Officer & FreeBSD Security List. > (Please reply, if need, to my email too) > > I've already posted this at FreeBSD-stable@freebsd.org but it > seems some people haven't agreed on this issue, so I'm posting > this here, as it's security related. > > As of 2001/03/22 we have : (and it's still on 4.x-stable of today, > 4.3-RC) > > -- > bash-2.04$ cat /usr/src/crypto/openssh/version.h > /* $FreeBSD: src/crypto/openssh/version.h,v 1.1.1.1.2.4 2001/03/22 > 00:30:56 green Exp $ */ > /* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */ > > #define SSH_VERSION "OpenSSH_2.3.0 green@FreeBSD.org 20010321" > bash-2.04$ > -- > > It seems some fixes has been made on OpenSSH 2.3.0 or so, and the string > "green@FreeBSD.org 20010321" has been added to SSH_VERSION. The problem > is that this is using on the initial SSHD login procedure : > > -- > bash-2.04$ telnet localhost 22 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 > -- > > So as SSHD is a daemon USUALLY enable to the whole internet, > anyone can find out what OS (FreeBSD), and what SSHD *cvsuped" > version is running. As well as if it has been fixed or NOT. > > So targeting attacks to unfixed SSHDs running FreeBSD would be > made easier, as well as any other attacks in the future, 'cause > there will be no doubt of what OS the host is running. (plus > a good idea of its version, using the 20010321 string) > > Btw, there is no need to let anyone know if the SSHD is fixed > or NOT, nor the OS version, and SSHD exact modification date > by the freebsd team. Is there ? > > Please let me know if I'm missing something... > > -- > Fabio Vilan Dias / Duwde > PGP key @ http://www.duwde.com.br/duwdepgp.asc > FP = BB35 50F2 7F83 655D 6B11 F0A2 F8E2 FF3D > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message