Date: Mon, 26 Mar 2001 22:49:20 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Robert Watson <rwatson@FreeBSD.ORG>, Kris Kennaway <kris@obsecurity.org> Cc: Nate Williams <nate@yogotech.com>, "Michael A. Dickerson" <mikey@singingtree.com>, "Duwde (Fabio V. Dias)" <duwde@duwde.com.br>, freebsd-security@FreeBSD.ORG Subject: Re: SSHD revelaing too much information. Message-ID: <p05010404b6e5bb325d3c@[128.113.24.47]> In-Reply-To: <Pine.NEB.3.96L.1010326205118.81313D-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1010326205118.81313D-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 9:30 PM -0500 3/26/01, Robert Watson wrote: >OK, so I go knowingly into a heated discussion :-). And you go an ruin a good, building flame-war by bringing in facts and a reasoned analysis. Boy, what a spoil-sport... >2) Several important classes of software consumers benefit > from the explicit detailing of version information. > >A number of consumers of this banner information are present, >and they represent an important class of users. Just off the >top of my head, I can identify at least two reasons why >revealing version information is useful: One thing I was wondering is if the version information could be delayed until the user has successfully authenticated to some user on the destination host. Maybe any userid on the destination host, maybe just some specific userid(s). I think that would give the version info out to people who would have some RIGHT to know it, without leaving it out there for absolutely anyone to anonymously discover. [this delay would be an sshd configuration option, of course, so that administrators could choose the behavior they wanted] My next question is whether this version-paranoid behavior should key off some system setting (a sysctl of some sort), as perhaps there are other network-service daemons where this same issue comes up. Might as well have them all key off a single option. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05010404b6e5bb325d3c>