Date: Mon, 29 Mar 2004 15:50:38 +0300 From: Georgi Alexandrov <g.alexandrov@bgservice.net> To: freebsd-questions@freebsd.org Subject: Re: Latest SSH? Message-ID: <40681B9E.3030202@bgservice.net> In-Reply-To: <20040329095801.GA8239@happy-idiot-talk.infracaninophile.co.uk> References: <20040329093242.GA5633@khisanth.hopto.org> <20040329095801.GA8239@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: >On Mon, Mar 29, 2004 at 10:32:42AM +0100, Danny Woods wrote: > > >>Hi all, >> >>I upgraded from 5.1 to 5.2.1p3 over the weekend, and finished off with a Nessus >>scan to check that ssh was the only port visible to the outside world. Despite >>a recent (i.e. last Thursday) cvsup to sync the source tree, I'm getting a >>high severity warning about a hole in SSH based on the version number reported >>(3.6.1p1 FreeBSD-20030924). I'm using the core ssh, not the version from ports. >>Does anyone know if this problem is real, or a false-positive? >> >> > >It's false. I assume it's complaining about the problems described in >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:15.openssh.asc >as that's the last OpenSSH advisory published. (Not to be confused >with the recent OpenSSL advisory). The security patches supplied fix >the vulnerabilities, but they generally don't do that by supplying a >whole new version of an application. Import of new versions of such >things as OpenSSH will only happen on one of the development branches >-- ie. HEAD (5-CURRENT) or RELENG_4 (4.9-STABLE), so RELENG_5_2 will >stick with OpenSSH-3.6.1p1 and you'll have to wait until RELENG_5_3 in >order to upgrade to OpenSSH-3.8p1 (or whatever the OpenSSH version is >by the time 5.3-RELEASE comes out). > > > >>As an aside, can sshd be prevented from reporting its version number on >>connect, or is this something that a client-app needs to know? >> >> > >The client app needs to know the version of the SSH protocol you're >running -- that it gets from the 'SSH-1.99' part at the beginning of >the banner ssh emits when you connect to port 22. The rest of what's >printed there is not so important. Apart from the 'version addendum' >part, you'ld have to hack the source code and recompile to chage >what's printed. > > Cheers, > > Matthew > > > you can also change the version sshd displays by editing carefuly the binary (vi `which sshd`) directly with a suitable editor, you can just replace 3.6.1p1 with 3.8.1p1 there and restart sshd (killall -HUP sshd). But my opinion is that will just give you a false state of security, as a script kiddie could just ./run all of his exploits not looking at the version of your sshd. A good thing is to bind sshd to different port (higher) like 45622 for example which would probably avoid automatic scans of the network... Be creative! ;-) regards, Georgi Alexandrov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40681B9E.3030202>