Hi, in the iptables subsystem of Linux it's possible to get the fingerprint of the peer OS. See: man iptables-extensions under osf If this information is available it's possible to adjust behaviour (a little) to meet the peer's flaws and maybe bugs. Have you ever thought about that? Stef the Netherlands
On Sun, 21 Feb 2021 at 16:45, Stef Bon <stefbon at gmail.com> wrote:> If this information is available it's possible to adjust behaviour (a > little) to meet the peer's flaws and maybe bugs. Have you ever thought > about that?a) that's quite platform specific and b) even if you got the information I doubt it would be of use. The operating system is at best a weak indicator of what the peer SSH implementation is, and the implementations are where the bugs/flaws you would potentially want to work around are. Multiple SSH implementations run on Linux. Dropbear has been ported to many of the same platforms as OpenSSH and often the choice is up to each individual user. PuTTY is probably the most popular SSH client implementation on Windows, but OpenSSH has also been ported to Windows multiple times in multiple ways; by the same token PuTTY has been ported to many Unix variants including Linux. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 2021/02/21 06:37, Stef Bon wrote:> Hi, > > in the iptables subsystem of Linux it's possible to get the > fingerprint of the peer OS. > See: > > man iptables-extensions > under osf > > If this information is available it's possible to adjust behaviour (a > little) to meet the peer's flaws and maybe bugs. Have you ever thought > about that? > > Stef > the Netherlands > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-devIf you want to make use of this information, you can redirect to different ports depending on the OS type, and run multiple sshd instances with different configuration. I can't really think of anything you might want to do with it though (other than outright blocking access from unwanted / unexpected OS)..
On 21.02.21 06:37, Stef Bon wrote:> Hi, > > in the iptables subsystem of Linux it's possible to get the > fingerprint of the peer OS. > See: > > man iptables-extensions > under osf > > If this information is available it's possible to adjust behaviour (a > little) to meet the peer's flaws and maybe bugs. Have you ever thought > about that?My - admittedly first ever - thoughts on that: -- Doesn't OpenSSH already parse the peer's Hello String for that purpose? -- (The possibility of SSH software other than the OS default being installed has already been mentioned) -- osf can also differ from defaults (own fingerprint files being loaded, --ttl param etc.) -- Just because the kernel('s iptables implementation) has that info doesn't mean that ssh(d) can easily get it -- Not to forget non-Linux systems ... Regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210222/773504e0/attachment.p7s>
Op ma 22 feb. 2021 om 10:56 schreef Jochen Bern <Jochen.Bern at binect.de>:> > > My - admittedly first ever - thoughts on that: > > -- Doesn't OpenSSH already parse the peer's Hello String for that > purpose?No as I know it that is only the software and version, not the os,> -- (The possibility of SSH software other than the OS default being > installed has already been mentioned) > -- osf can also differ from defaults (own fingerprint files being > loaded, --ttl param etc.)Huh what do you mean Jochen? You know something about this software?> -- Just because the kernel('s iptables implementation) has that info > doesn't mean that ssh(d) can easily get itNo, but the creators/maintainers of the osf submodule of iptables had probably other uses in mind than only logging... So something like netlink? Not easy indeed.> -- Not to forget non-Linux systems ...Yes. It only works with iptables being present as far I can see. Thanks for your thoughts. Stef Bon