Date: Sun, 25 Mar 2001 04:34:24 -0500 From: Peter Radcliffe <pir@pir.net> To: freebsd-stable@freebsd.org Subject: Re: sshd revealing too much stuff. Message-ID: <20010325043424.B19617@pir.net> In-Reply-To: <20010325012348.A10975@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Mar 25, 2001 at 01:23:48AM -0800 References: <Pine.BSF.4.21.0103232116280.8531-100000@server.highperformance.net> <3ABD9014.E78871BC@duwde.com.br> <20010325015443.A29255@home.com> <20010325032213.H255@pir.net> <20010325012348.A10975@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway <kris@obsecurity.org> probably said: > Making it easy for the _administrator_ to get information that is > useful for administration is a good thing. This can be done without providing the same information to an attacker. > Think about the audit for vulnerable versions of SSH using > e.g. scanssh. How is the administrator to differentiate between the > standard, vulnerable, version of OpenSSH 2.3.0 and the fixed, > non-vulnerable version included in FreeBSD 4.2-STABLE unless it > reports itself differently? It's running ssh, it's accessable from the network. Put the changed version string in ssh --version or similar and connect to the machine to check it. Information does not have to be available to an attacker. > Perhaps you're unaware of how easy it is to fingerprint an OS by > simply examining the behaviour of the IP stack and the response to > various packets. If you can receive *any* packets from a host you can No, I'm perfectly aware of this. This doesn't mean I want to inform a potential attacker exactly what sub-version of ssh I'm running, though. > Again, fine-grained OS fingerprinting is trivial and there are many > automated tools for doing it which work reliably, so complaining about > this instance is just tilting at windmills. Getting an OS version is different from getting _exactly_ which application version is there. I've seen, and indeed use, the fine-grained OS fingerprinting. I find that quite beside the point when talking about application versions. *sigh* Something else to fix every time I install a machine. Currently I don't even use FreeBSD's OpenSSH installation since it's so out of date anyway. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010325043424.B19617>