Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Mar 2001 16:27:55 -0600
From:      "Jeffrey J. Mountin" <jeff-ml@mountin.net>
To:        Garance A Drosihn <drosih@rpi.edu>
Cc:        security@FreeBSD.ORG
Subject:   Re: SSHD revelaing too much information.
Message-ID:  <4.3.2.20010327160147.02c1b6c0@207.227.119.2>
In-Reply-To: <p05010407b6e693b73e7c@[128.113.24.47]>
References:  <20010327005503.J5425@rfx-216-196-73-168.users.reflex> <Pine.NEB.3.96L.1010326205118.81313D-100000@fledge.watson.org> <p05010404b6e5bb325d3c@[128.113.24.47]> <20010327005503.J5425@rfx-216-196-73-168.users.reflex>

next in thread | previous in thread | raw e-mail | index | archive | help
At 02:08 PM 3/27/01 -0500, Garance A Drosihn wrote:

CC;s trimmed...

>>The 'green@FreeBSD.org 20010321' is too much information. The
>>'OpenSSH_2.3.0' part is required for the protocol.
>
>My apologies, I worded that really stupidly.  At the very
>least, there should have been an 'extra' in what I said...
>
>My thought was that the EXTRA version information would be
>displayed after authentication was complete.  Ie, send the
>'OpenSSH_2.3.0' part where the protocol needs it, and send
>the 'green@FreeBSD.org 20010321' part (perhaps with even
>more details) in the output of '-v'.  I've been doing a
>lot of 'ssh -v'-ing lately, as I set up some new hosts,
>so this seemed an obvious way to make the info available.
>The EXTRA info, I mean...  :-)
>
>The idea would be to give administrators the ability to
>easily determine the precise version info, without giving
>"unknown outsiders" (ie, unauthenticated connections)
>that information.

You also forget the point that the extra information means it isn't a 
vulnerable version, which it would be without the patches.  Thus moving 
that information later would mean a potential attacker might think "Hey, 
this system is vulnerable..." and try to exploit a hole that has been 
plugged.  Believe doing this would annoy far more people than those that 
are complaining about the information.  Blah!

Displaying the extra version string info later on would be pointless, not 
to mention require the "normal" version string, and a lot of work for a 
false sense of security.

Personally think that if you don't like the version string for any service 
then it is up to the person that doesn't want it to alter the source 
themselves.  Anything else is just a waste of developer time.


Something that no has pointed out yet is that if you try to limit the 
information the system displays or not for that matter, you might attract 
the attention of someone that likes a challenge.  Sure there are far more 
script kiddies, but would lump the obscurity idea along with boasting a 
system is not vulnerable.  Bragging might attract the wrong types to test 
the truth of such a statement.  For certain that might help when it turns 
out it isn't true, but would be a hassle regardless.

I'm for limiting information to an extent.  However, it seems this and 
similar ideas are argued by those that cannot do the work themselves or are 
too lazy to bother.  There is also the law of diminishing returns, which 
IMO such time would be better spent elsewhere than trying to hide behind 
minimal information or talking about such things and not offering up any 
patches.  In this case to the OpenSSL folks, so that they do not have to be 
maintained locally by the maintainer.


Thinking at times there should be a security methodology list...


Jeff Mountin - jeff@mountin.net
Systems/Network Administrator
FreeBSD - the power to serve


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20010327160147.02c1b6c0>