Hello programmers, hello maintainers! Like most of the old smtp servers (e.g. sendmail), ssh servers makes it pretty easy for an attacker to get the name of the software and its version: > badboy:~ > telnet niceboy 22 > Trying a.b.c.d... > Connected to localhost. > Escape character is '^]'. > SSH-2.0-OpenSSH_3.6.1p2 > ^] > telnet> close > Connection closed. I am not a friend of "security through obscurity", but I think each administrator should have the choice to decide, wether this sensitive information should be freely available or not. So I wrote a small patch (see attached file). The patch introduces the new parameter "WelcomeFile" to the configuration file. Only if this parameter points to a valid file, openssh reads a welcome message up to 128 characters out of it and displays it at the identfication exchange, e.g.: > badboy:~ > telnet niceboy 22 > Trying a.b.c.d... > Connected to localhost. > Escape character is '^]'. > SSH-2.0-Why should I tell you? > ^] > telnet> close > Connection closed. If WelcomeFile is not set or if some error occurs while try to read the file, the good old SSH_VERSION is printed out. If you - dear maintainers - think this is worth to complete it, please let me know. I'll will write then some docu and/or change some things as you think it's best. Greetings Mark -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch-mse Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030711/61e0aef2/attachment.ksh
On Fri, Jul 11, 2003 at 01:22:44PM +0200, Mark Semmler wrote:> > Hello programmers, hello maintainers! >> The patch introduces the new parameter "WelcomeFile" to the > configuration file. Only if this parameter points to a valid file, > openssh reads a welcome message up to 128 characters out of it and > displays it at the identfication exchange, e.g.:> If you - dear maintainers - think this is worth to complete it, please > let me know. I'll will write then some docu and/or change some things as > you think it's best.Is this dumb ideas week on openssh-unix-dev or am I just reading it for once? This has been discused to death, and is a *really* bad idea for interoperability, and adds no secruity advantage. Andrew Bartlett
Mark Semmler wrote:> I am not a friend of "security through obscurity", but I think each > administrator should have the choice to decide, wether this sensitive > information should be freely available or not. So I wrote a small patch > (see attached file).Good luck to you, but this has been done to death a couple of times before and the consensus is that this isn't going to happen. You're not adding much if any security (an attacker can just try *all* the exploits they have) and increasing the chances of interoperability problems. See http://bugzilla.mindrot.org/show_bug.cgi?id=94> The patch introduces the new parameter "WelcomeFile" to the > configuration file. Only if this parameter points to a valid file, > openssh reads a welcome message up to 128 characters out of it and > displays it at the identfication exchange, e.g.:Do you violate protocol if you have 2 newlines those 128 characters? Why not just have your string in the config file? (It would be less code.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.