bugzilla-daemon at mindrot.org
2002-Feb-01 22:15 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-02 09:15 ------- Created an attachment (id=17) Patch to sshd to allow a userdefinable identification string ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-01 22:52 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From djm at mindrot.org 2002-02-02 09:51 ------- The identity string is used for bug/feature compatibility. As the protocol spec is not an RFC yet, it may also be needed in future. Have a look at compat.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-03 17:12 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From markus at openbsd.org 2002-02-04 04:12 ------- i don't see why the version string should be changed. it's used for bug-detection. if we are bug free, then we can have a fixed version string. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-04 16:51 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-05 03:51 ------- The word is *if*. Secondly. I have had requests from some of my clients for the ability to change both the version and comment string(s). The version string for the sole purpose of hiding the version in the event of a security hole. Similarly to the way say bind or sendmail does. If other standards do why no openssh. As for the comment string this is not that all far fetched. I have the need to put information about an installation(i.e. internal version number, say for a companies internal package version. or for describing additional options.. gssapi?). In large environments it is hard to keep everything machine up to date. Let alone making a perfect installation. So one can have used openssh 3.0.2p1 but had multiple revisions of the package. And a quick way to audit said installation(s) would be to look at the comment field. And then use something like scanssh to gather the information. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-04 17:07 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From markus at openbsd.org 2002-02-05 04:07 ------- why should we encourage people to run a broken version of openssh? why not edit version.h and include this information at compile time? if you have a revision of your modified sshd you will have to recompile anyway. changing version.h will possibly break compatibility. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-04 18:55 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-05 05:55 ------->why should we encourage people to run a broken version of openssh?Why do you think it is broken?.. or is the compatibility handling just broken.> why not edit version.h and include this information at compile time?Why do you have to recompile?? That is where the term "runtime options" comes from. Fine. We disagree with the version string. But, the comment should be at least user configurable.>if you have a revision of your modified sshd you will have to recompileanyway. No... who says that you can't change just the config files and make a new package? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-04 19:24 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-05 06:24 ------- I agree that the "version" string would/could cause problems with compatability. So I will drop the "version" string. The comment is another matter. What are your thoughts on generalizing the compat stuff.. maybe making it runtime and not compile time? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-04 20:43 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From markus at openbsd.org 2002-02-05 07:43 ------- i don't understand how moving compat.c would simplify the code or simplify handling. i prefer each version of openssh have a fixed and defined behaviour. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-05 00:02 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From djm at mindrot.org 2002-02-05 11:02 ------- This patch adds obscurity at best, it doesn't help security at all. In fact, it encourages people not to upgrade their vulnerable servers. The attackers won't care about a faked version - they'll just try their exploits regardless (in fact weird protocol ident strings would make me more interested). On top of this, it ruins any chance of being able to interop should we find protocol bugs or if the wire spec changes again. Making the compat stuff runtime may be a good idea for other reasons, but not to support silly hacks like this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Feb-22 18:45 UTC
[Bug 94] Userdefineable identification string
http://bugzilla.mindrot.org/show_bug.cgi?id=94 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From markus at openbsd.org 2002-02-23 05:45 ------- after some discussion we decided that this wont happen. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 93] Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles.
- [Bug 95] Allow '%' expansion to work in ssh and ssh-add
- [Bug 1159] %u and %h not handled in IdentityFile
- [Bug 95] New: Allow '%' expansion to work in ssh and ssh-add
- [Bug 537] Identification should depend on port number