Kris Kennaway <[EMAIL PROTECTED]> probably said:
> Making it easy for the _administrator_ to get information that is
> useful for administration is a good thing.
This can be done without providing the same information to an
attacker.
> Think about the audit for vulnerable versions of SSH using
> e.g. scanssh. How is the administrator to differentiate between the
> standard, vulnerable, version of OpenSSH 2.3.0 and the fixed,
> non-vulnerable version included in FreeBSD 4.2-STABLE unless it
> reports itself differently?
It's running ssh, it's accessable from the network. Put the changed
version string in ssh --version or similar and connect to the machine
to check it. Information does not have to be available to an attacker.
> Perhaps you're unaware of how easy it is to fingerprint an OS by
> simply examining the behaviour of the IP stack and the response to
> various packets. If you can receive *any* packets from a host you can
No, I'm perfectly aware of this. This doesn't mean I want to inform a
potential attacker exactly what sub-version of ssh I'm running,
though.
> Again, fine-grained OS fingerprinting is trivial and there are many
> automated tools for doing it which work reliably, so complaining about
> this instance is just tilting at windmills.
Getting an OS version is different from getting _exactly_ which
application version is there. I've seen, and indeed use, the
fine-grained OS fingerprinting. I find that quite beside the point
when talking about application versions.
*sigh*
Something else to fix every time I install a machine. Currently I
don't even use FreeBSD's OpenSSH installation since it's so out of
date anyway.
P.
--
pir [EMAIL PROTECTED] [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
