From owner-freebsd-stable Sun Mar 25 1:34:29 2001 Delivered-To: freebsd-stable@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id CA8F137B71D for ; Sun, 25 Mar 2001 01:34:26 -0800 (PST) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 14h6un-0005WS-00 for freebsd-stable@freebsd.org; Sun, 25 Mar 2001 04:34:25 -0500 Date: Sun, 25 Mar 2001 04:34:24 -0500 From: Peter Radcliffe To: freebsd-stable@freebsd.org Subject: Re: sshd revealing too much stuff. Message-ID: <20010325043424.B19617@pir.net> Reply-To: freebsd-stable@freebsd.org Mail-Followup-To: freebsd-stable@freebsd.org References: <3ABD9014.E78871BC@duwde.com.br> <20010325015443.A29255@home.com> <20010325032213.H255@pir.net> <20010325012348.A10975@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010325012348.A10975@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Mar 25, 2001 at 01:23:48AM -0800 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Kris Kennaway probably said: > Making it easy for the _administrator_ to get information that is > useful for administration is a good thing. This can be done without providing the same information to an attacker. > Think about the audit for vulnerable versions of SSH using > e.g. scanssh. How is the administrator to differentiate between the > standard, vulnerable, version of OpenSSH 2.3.0 and the fixed, > non-vulnerable version included in FreeBSD 4.2-STABLE unless it > reports itself differently? It's running ssh, it's accessable from the network. Put the changed version string in ssh --version or similar and connect to the machine to check it. Information does not have to be available to an attacker. > Perhaps you're unaware of how easy it is to fingerprint an OS by > simply examining the behaviour of the IP stack and the response to > various packets. If you can receive *any* packets from a host you can No, I'm perfectly aware of this. This doesn't mean I want to inform a potential attacker exactly what sub-version of ssh I'm running, though. > Again, fine-grained OS fingerprinting is trivial and there are many > automated tools for doing it which work reliably, so complaining about > this instance is just tilting at windmills. Getting an OS version is different from getting _exactly_ which application version is there. I've seen, and indeed use, the fine-grained OS fingerprinting. I find that quite beside the point when talking about application versions. *sigh* Something else to fix every time I install a machine. Currently I don't even use FreeBSD's OpenSSH installation since it's so out of date anyway. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message