From owner-freebsd-questions@FreeBSD.ORG Mon Mar 29 04:50:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6723416A4CE for ; Mon, 29 Mar 2004 04:50:53 -0800 (PST) Received: from office.bgservice.net (office.bgservice.net [217.30.208.179]) by mx1.FreeBSD.org (Postfix) with SMTP id 817A343D54 for ; Mon, 29 Mar 2004 04:50:47 -0800 (PST) (envelope-from g.alexandrov@bgservice.net) Received: (qmail 5480 invoked from network); 29 Mar 2004 12:45:34 -0000 Received: from teh.bgservice.lab (HELO bgservice.net) (192.168.0.5) by office.bgservice.net with SMTP; 29 Mar 2004 12:45:34 -0000 Message-ID: <40681B9E.3030202@bgservice.net> Date: Mon, 29 Mar 2004 15:50:38 +0300 From: Georgi Alexandrov User-Agent: Mozilla Thunderbird 0.5 (X11/20040208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20040329093242.GA5633@khisanth.hopto.org> <20040329095801.GA8239@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040329095801.GA8239@happy-idiot-talk.infracaninophile.co.uk> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Latest SSH? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2004 12:50:53 -0000 Matthew Seaman wrote: >On Mon, Mar 29, 2004 at 10:32:42AM +0100, Danny Woods wrote: > > >>Hi all, >> >>I upgraded from 5.1 to 5.2.1p3 over the weekend, and finished off with a Nessus >>scan to check that ssh was the only port visible to the outside world. Despite >>a recent (i.e. last Thursday) cvsup to sync the source tree, I'm getting a >>high severity warning about a hole in SSH based on the version number reported >>(3.6.1p1 FreeBSD-20030924). I'm using the core ssh, not the version from ports. >>Does anyone know if this problem is real, or a false-positive? >> >> > >It's false. I assume it's complaining about the problems described in >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:15.openssh.asc >as that's the last OpenSSH advisory published. (Not to be confused >with the recent OpenSSL advisory). The security patches supplied fix >the vulnerabilities, but they generally don't do that by supplying a >whole new version of an application. Import of new versions of such >things as OpenSSH will only happen on one of the development branches >-- ie. HEAD (5-CURRENT) or RELENG_4 (4.9-STABLE), so RELENG_5_2 will >stick with OpenSSH-3.6.1p1 and you'll have to wait until RELENG_5_3 in >order to upgrade to OpenSSH-3.8p1 (or whatever the OpenSSH version is >by the time 5.3-RELEASE comes out). > > > >>As an aside, can sshd be prevented from reporting its version number on >>connect, or is this something that a client-app needs to know? >> >> > >The client app needs to know the version of the SSH protocol you're >running -- that it gets from the 'SSH-1.99' part at the beginning of >the banner ssh emits when you connect to port 22. The rest of what's >printed there is not so important. Apart from the 'version addendum' >part, you'ld have to hack the source code and recompile to chage >what's printed. > > Cheers, > > Matthew > > > you can also change the version sshd displays by editing carefuly the binary (vi `which sshd`) directly with a suitable editor, you can just replace 3.6.1p1 with 3.8.1p1 there and restart sshd (killall -HUP sshd). But my opinion is that will just give you a false state of security, as a script kiddie could just ./run all of his exploits not looking at the version of your sshd. A good thing is to bind sshd to different port (higher) like 45622 for example which would probably avoid automatic scans of the network... Be creative! ;-) regards, Georgi Alexandrov