yes, removing $ from "Protocol" directive would allow "Protocol 2,1" an attacker could force protocol v1 use on client side :/
On Wed, Apr 9, 2014 at 5:15 PM, Jan Lieskovsky <[email protected]> wrote: > ----- Original Message ----- > > From: "Jan Ruzicka" > > Subject: Re: [PATCH] [shared] Allow comments in sshd config directives > > > > Doesn't the obj_sshd_use_approved_ciphers now allow unapproved cyphers > to be > > appended to the list of approved ones? > > What about object_sshd_allow_only_protocol2 ? > > Thanks, Jan. Right, good catch. While just the removal of dollar sign > would make > sense for cases where sshd directive requires / allows just one value, in > case > of approved ciphers or SSHv2 ones you are right it might allow weaker > use-case / > scenario to succeed than desired. > > Will come with v2 of the proposal. > > Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > > On Apr 8, 2014, at 05:16, Jan Lieskovsky wrote: > > > > > > > > When checking /etc/ssh/sshd_config for proper settings of various > > > directives allow also line directive versions suffixed with comments > > > (so we wouldn't report inappropriate results). > > > > > > Please review. > > > > > > Thank you && Regards, Jan. > > > -- > > > Jan iankko Lieskovsky / Red Hat Security Technologies > > > > Team<0001-shared-Allow-comments-in-sshd-config-directives.patch>_______________________________________________ > > > scap-security-guide mailing list > > > [email protected] > > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > > Jan Ruzicka > > Senior Software Engineer > > Comtech Mobile Datacom Corporation > > 20430 Century Blvd, Germantown, MD 20874 > > Office: 240-686-3300 > > Fax: 240-686-3301 > > > > The information contained in this message may be privileged and/or > > confidential. If you are not the intended recipient, or responsible for > > delivering this message to the intended recipient, any review, > forwarding, > > dissemination, distribution or copying of this communication or any > > attachment(s) is strictly prohibited. If you have received this message > in > > error, please so notify the sender immediately, and delete it and all > > attachments from your computer and network. > > > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
