From owner-freebsd-security  Tue Mar 27  0:55:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP
	id 43A0837B718; Tue, 27 Mar 2001 00:55:23 -0800 (PST)
	(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Tue, 27 Mar 2001 00:53:05 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.3/8.11.1) id f2R8t3d22424;
	Tue, 27 Mar 2001 00:55:04 -0800 (PST)
	(envelope-from cjc)
Date: Tue, 27 Mar 2001 00:55:03 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Garance A Drosihn <drosih@rpi.edu>
Cc: Robert Watson <rwatson@FreeBSD.ORG>,
	Kris Kennaway <kris@obsecurity.org>,
	Nate Williams <nate@yogotech.com>,
	"Michael A. Dickerson" <mikey@singingtree.com>,
	"Duwde (Fabio V. Dias)" <duwde@duwde.com.br>,
	freebsd-security@FreeBSD.ORG
Subject: Re: SSHD revelaing too much information.
Message-ID: <20010327005503.J5425@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <Pine.NEB.3.96L.1010326205118.81313D-100000@fledge.watson.org> <p05010404b6e5bb325d3c@[128.113.24.47]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <p05010404b6e5bb325d3c@[128.113.24.47]>; from drosih@rpi.edu on Mon, Mar 26, 2001 at 10:49:20PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Mar 26, 2001 at 10:49:20PM -0500, Garance A Drosihn wrote:

[snip]

> One thing I was wondering is if the version information could be
> delayed until the user has successfully authenticated to some user
> on the destination host.

SSH needs to know the version before it can negotiate the
authentication. Read the draft. Passing the version number in
plaintext at the start of the connection is not feasible to workaround
and does not really get you much.

This whole thread is about if for this version string,

  OpenSSH_2.3.0 green@FreeBSD.org 20010321

The 'green@FreeBSD.org 20010321' is too much information. The
'OpenSSH_2.3.0' part is required for the protocol.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message