Matthew Seaman wrote:

On Mon, Mar 29, 2004 at 10:32:42AM +0100, Danny Woods wrote:


Hi all,

I upgraded from 5.1 to 5.2.1p3 over the weekend, and finished off with a Nessus
scan to check that ssh was the only port visible to the outside world. Despite
a recent (i.e. last Thursday) cvsup to sync the source tree, I'm getting a
high severity warning about a hole in SSH based on the version number reported
(3.6.1p1 FreeBSD-20030924). I'm using the core ssh, not the version from ports.
Does anyone know if this problem is real, or a false-positive?



It's false. I assume it's complaining about the problems described in ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:15.openssh.asc as that's the last OpenSSH advisory published. (Not to be confused with the recent OpenSSL advisory). The security patches supplied fix the vulnerabilities, but they generally don't do that by supplying a whole new version of an application. Import of new versions of such things as OpenSSH will only happen on one of the development branches -- ie. HEAD (5-CURRENT) or RELENG_4 (4.9-STABLE), so RELENG_5_2 will stick with OpenSSH-3.6.1p1 and you'll have to wait until RELENG_5_3 in order to upgrade to OpenSSH-3.8p1 (or whatever the OpenSSH version is by the time 5.3-RELEASE comes out).



As an aside, can sshd be prevented from reporting its version number on
connect, or is this something that a client-app needs to know?



The client app needs to know the version of the SSH protocol you're running -- that it gets from the 'SSH-1.99' part at the beginning of the banner ssh emits when you connect to port 22. The rest of what's printed there is not so important. Apart from the 'version addendum' part, you'ld have to hack the source code and recompile to chage what's printed.

Cheers,

Matthew



you can also change the version sshd displays by editing carefuly the binary (vi `which sshd`) directly with a suitable editor, you can just replace 3.6.1p1 with 3.8.1p1 there and restart sshd (killall -HUP sshd). But my opinion is that will just give you a false state of security, as a script kiddie could just ./run all of his exploits not looking at the version of your sshd. A good thing is to bind sshd to different port (higher) like 45622 for example which would probably avoid automatic scans of the network... Be creative! ;-)

regards,
Georgi Alexandrov

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to