Re: SSHD revelaing too much information.

From: Makoto MATSUSHITA (matusita@jp.FreeBSD.org)
Date: 03/27/01


From: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
To: freebsd-security@FreeBSD.ORG
Date: Tue, 27 Mar 2001 22:09:40 +0900


Trim To: field...

cjclark> The 'green@FreeBSD.org 20010321' is too much information. The
cjclark> 'OpenSSH_2.3.0' part is required for the protocol.

What do you think about NetBSD? Their ssh implementation, based on
OpenSSH 2.5.2 but hacked by their own, uses

        OpenSSH_2.5.2 NetBSD_Secure_Shell-20010319

as a version string. Maybe it's also too much information, since
NetBSD Secure Shell is (maybe) only available for NetBSD, and it uses
timestamp (20010319). If you doubt, check:
<URL:http://www.freebsd.org/cgi/cvsweb.cgi/basesrc/crypto/dist/ssh/version.h?cvsroot=netbsd>

It is natual that the first word of version string is for and only for
OpenSSH implementation and/or the ssh protocol itself (I dunno it's
true or not), and rest of version strings are for identifying the
OpenSSH variants (note that our ssh implementation is *not* just a
security-fixed OpenSSH 2.3.0, but have features which does not exist
in the original OpenSSH by OpenBSD).

-- -
Makoto `MAR' MATSUSHITA

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • FreeBSD Security Advisory FreeBSD-SA-01:24.ssh
    ... OpenSSH is an implementation of the SSH1 and SSH2 secure shell ... An SSH1 client/server from ssh.com is included in the ports ... mistake in code intended to work around a protocol flaw in the SSH1 ... of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks. ...
    (FreeBSD-Security)
  • Re: Request for Comments: Getting OpenSSH to work with ssh.com and itself
    ... All the titles involving mixed protocol versions ... "To be clear, the two protocol versions SSH1 and SSH2 do not interoperate, ... Leaving your keys around inside an ssh-agent indefinitely means ... > assume what you mean is connecting an SSH2 client to an OpenSSH server, ...
    (comp.security.ssh)
  • Re: tcsetpgrp()
    ... Which SSH implementation and version thereof are you running? ... On QNX the pty allocation process apparently ... In the next release of OpenSSH, ... Good judgement comes with experience. ...
    (comp.security.ssh)
  • [HPADM] Summary: Running OpenSSH as a Daemon on HP-UX 11.11
    ... We chose OpenSSH instead of HP's SSH program because our main application ... The script is: ... # Checks for the existence of the host DSA key (protocol version 2) ... # Checks for the existence of the host RSA key ...
    (HP-UX-Admin)
  • Re: CVS and version 9.0
    ... I this OpenSSH version is removed kerberos support from protocol SSH1, ... users who use identity keys for remote login with passphrases. ... ssh-add is called and doesn't have a real TTY, ...
    (alt.os.linux.suse)