Jakub Jelen
2016-Aug-08 07:24 UTC
ssh(d) identification string in portable (clarification)
Hello all, We got a report [1], that we miss "p1" suffix in the sshd identification strings in Fedora. I dig in and found out that it is also missing from portable usptream since 2004, when you were rewriting version.h header file with this information. Debian somehow patched this information back during the time in some places (ssh_api.c is missing). It does not look like intention to remove the release version information [2]. Can you clarify? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1364595 [2] https://github.com/openssh/openssh-portable/commit/2aa6d3cf Regards, -- Jakub Jelen Associate Software Engineer Security Technologies Red Hat
Daniel Kahn Gillmor
2016-Aug-08 21:21 UTC
ssh(d) identification string in portable (clarification)
On Mon 2016-08-08 03:24:36 -0400, Jakub Jelen wrote:> We got a report [1], that we miss "p1" suffix in the sshd identification > strings in Fedora. I dig in and found out that it is also missing from > portable usptream since 2004, when you were rewriting version.h header > file with this information. > > Debian somehow patched this information back during the time in some > places (ssh_api.c is missing).this is arguably a (very old) bug in debian: https://bugs.debian.org/130876 https://bugs.debian.org/774410> It does not look like intention to remove the release version > information [2]. Can you clarify? > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1364595 > [2] https://github.com/openssh/openssh-portable/commit/2aa6d3cfThe synopsis of that changeset comment (by Damien Miller) is: Don't divulge portable version in protocol That seems like a pretty clear intent. (and fwiw, i think it's the right thing to do) --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160808/76580947/attachment-0001.bin>
Darren Tucker
2016-Aug-08 23:50 UTC
ssh(d) identification string in portable (clarification)
On Tue, Aug 9, 2016 at 7:21 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote: [...]> That seems like a pretty clear intent. (and fwiw, i think it's the > right thing to do)There is the VersionAddendum sshd_config option however it prepends a space. Perhaps it shouldn't, and anything that actually wants the space can supply that itself (ie 'VersionAddendum p2' vs 'VersionAddendum " someotherstring"'). IMO a security tool taking the over-the-wire banner as the authoritative test about whether a problem does or does not exist isn't wise. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Jakub Jelen
2016-Aug-10 06:28 UTC
ssh(d) identification string in portable (clarification)
On 08/08/2016 11:21 PM, Daniel Kahn Gillmor wrote:> The synopsis of that changeset comment (by Damien Miller) is: > > Don't divulge portable version in protocol > > That seems like a pretty clear intent. (and fwiw, i think it's the > right thing to do)Thank you for the answers. It seems like I should improve my English vocabulary or at least be more critical to my instinct when coming to a new words, especially on Monday morning. Jakub