openssh unix dev - Feb 2019 - [Bug 2971] New: Prevent OpenSSH from advertising its version number

On 02/20/2019 07:51 AM, Mark D. Baushke wrote:
> There are too just many cases where both OpenSSH interoperating with
> itself as well as other SSH implementations have needed this version
> number to properly deal with bugs in the code via negitations.
FWIW, and without dismissing the possibility of fingerprinting a server
in other ways, the fact that clients that *can* pass authentication have
a need to know the server's version number (and vice versa) does not
necessarily imply that that information needs to be passed in the
*public* part of the protocol ...

Regards,
-- 
Jochen Bern
Systemingenieur

www.binect.de
www.facebook.de/binect

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190220/7407b087/attachment-0001.p7s>

Hi,

On Wed, Feb 20, 2019 at 10:59:19AM +0000, Jochen Bern
wrote:
> FWIW, and without dismissing the possibility of fingerprinting a server
> in other ways, the fact that clients that *can* pass authentication have
> a need to know the server's version number (and vice versa) does not
> necessarily imply that that information needs to be passed in the
> *public* part of the protocol ...
You missed the parts about "working around implementation kinks that
the clients can know by looking at the version string".

Like, "if we send <this> key exchange now, the connection will be
lost".

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at
greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3614 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190220/540c8e71/attachment.bin>

On 2019/02/20 10:59, Jochen Bern wrote:
> On 02/20/2019 07:51 AM, Mark D. Baushke wrote:
> > There are too just many cases where both OpenSSH interoperating with
> > itself as well as other SSH implementations have needed this version
> > number to properly deal with bugs in the code via negitations.
> 
> FWIW, and without dismissing the possibility of fingerprinting a server
> in other ways, the fact that clients that *can* pass authentication have
> a need to know the server's version number (and vice versa) does not
> necessarily imply that that information needs to be passed in the
> *public* part of the protocol ...
Some of the compat code is pre-authentication. It is required to have the
version number early.

I'm surprised by how many otherwise sensible and clueful people think 
that security through obscurity is a good idea.? Hiding the version 
number will not prevent adversaries from discovering the version 
number.? The correct strategy, from a security point of view, is to 
bloody well fix security problems quick smart!

On Wed, Feb 20, 2019 at 09:56:02PM +1030, David Newall
wrote:
>I'm surprised by how many otherwise sensible and clueful people think 
>that security through obscurity is a good idea.? Hiding the version 
>number will not prevent adversaries from discovering the version 
>number.
IME, it's more common for exploits to just throw stuff against a wall 
and not care much about the version at all. Basically, hiding the 
version number mostly causes problems only for legitimate uses.