Debian Bug report logs - #130876
Sending server software version information should be optional

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Lazarus Long <lazarus@overdue.ddts.net>

To: submit@bugs.debian.org

Subject: ssh: -5 discloses too much infomation to an attacker

Date: Sat, 26 Jan 2002 01:23:13 +0000 (UTC)

Package: ssh
Version: 1:3.0.2p1-5
Severity: critical

Introduces security hole by divulging too much information to an attacker
about the underlying system.

+  * Include the Debian version in our identification, to make it easier to
+    audit networks for patched versions in future

Please revert, ASAP!  There is no reason to divulge being a Debian system
to an attacker.

-- System Information
Debian Release: 3.0
Kernel Version: Linux phoenix 2.4.17 #1 Mon Dec 24 07:56:41 UTC 2001 i586 unknown

Message #10 received at 130876-submitter@bugs.debian.org (full text, mbox, reply):

From: "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>

To: 130876-submitter@bugs.debian.org, control@bugs.debian.org

Subject: Not a bug.

Date: Sat, 26 Jan 2002 02:47:20 +0000 (GMT)

severity 130876 wishlist
thanks

 This is not a bug.  

 It is possible that the maintainer might wish to add an option not to
reveal the additional information such that people who believe in the
`security by obscurity' myth can stop bothering us.

 I note to the submitter that there is precident to providing such
information (FreeBSD).

 Jonathan.

Message #15 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Lazarus Long <lazarus@overdue.ddts.net>

To: "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>, 130876@bugs.debian.org

Cc: control@bugs.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#130876: Very definitely a bug, security

Date: Sat, 26 Jan 2002 05:01:14 +0000

[Message part 1 (text/plain, inline)]

severity 130876 grave
thanks

On Sat, Jan 26, 2002 at 02:47:20AM +0000, Jonathan D. Amery wrote:
 > Subject: Bug#130876: Not a bug.
 > 
 > severity 130876 wishlist
 > thanks
 > 
 >  This is not a bug.  

This is definitely a security risk.  There is no reason that such
information should be exposed to attackers.  Just because FreeBSD has
some lame security practices doesn't mean Debian has to emulate them.
(If I ran it, I'd file a bug there as well.)

Post your root password and IP address if you think obscurity is
irrelevant.  (You are twisting a comment about *source* being available
for peer review in the crypto community, not about site-specifics being
open to all.)

/etc/issue and /etc/issue.net are conffiles, so the site admin can
choose to stop broadcasting information to any and all attackers that
may aid them in the process.  Yet ssh 1:3.0.2p1-5 intends to make that
irrelevant for any host running it on a public interface.  This is a
significant security hole that -5 opens, that was not open in -4, and
needs to be addressed ASAP.

-- 
Please (OpenPGP) encrypt all mail whenever possible. Request the following
Public Keys for Lazarus Long <lazarus@overdue.ddts.net>

  Type    Bits/KeyID    Fingerprint                   DSA KeyID: vvvv vvvv
ElGamal: 2048g/CCB09D64 8270 4B79 CB1E 433B 6214  64EB 9D58 28A9 E8B1 27F4
(old 2001 keys)
ElGamal: 2048g/215A8B4A F258 C2DD 7E9C DCEB E64F  82EC D4BB 3438 8B82 A392

[Message part 2 (application/pgp-signature, inline)]

Message #22 received at 130876@bugs.debian.org (full text, mbox, reply):

From: David B Harris <eelf@sympatico.ca>

To: debian-security@lists.debian.org

Cc: 130876@bugs.debian.org

Subject: Re: Bug#130876: Very definitely a bug, security

Date: Sat, 26 Jan 2002 00:30:03 -0500

On Sat, 26 Jan 2002 05:01:14 +0000
Lazarus Long <lazarus@overdue.ddts.net> wrote:
> This is definitely a security risk.  There is no reason that such
> information should be exposed to attackers.  Just because FreeBSD has
> some lame security practices doesn't mean Debian has to emulate them.
> (If I ran it, I'd file a bug there as well.)

I agree that this is exposing information that can be used by an
attacker to aid them in their exploits. On the other hand, the purpose
of the change was a good one; it's hard to tell if you're running a
vulnerable SSH in Stable, since the version string is the same as the
stock upstream source, while the Debian diffs will have many added
patches.

Is there any way this can be run-time configurable?

-- 
 .--=====-=-=====-=========----------=====-----------=-=-----=.
/    David Barclay Harris            Aut agere, aut mori.      \
\        Clan Barclay              Either action, or death.    /
 `-------======-------------=-=-----=-===-=====-------=--=----'

Message #27 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Alex Pennace <alex@pennace.org>

To: Lazarus Long <lazarus@overdue.ddts.net>

Cc: "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>, 130876@bugs.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#130876: Very definitely a bug, security

Date: Sat, 26 Jan 2002 01:36:24 -0500

On Sat, Jan 26, 2002 at 05:00:52AM +0000, Lazarus Long wrote:
> Post your root password and IP address if you think obscurity is
> irrelevant.  (You are twisting a comment about *source* being available
> for peer review in the crypto community, not about site-specifics being
> open to all.)

Apples to oranges. Passwords are successfully obscure because there
are lots of them. There are not nearly enough seperate flavors of ssh
to help obscurity. Meanwhile, having the Debian string in the ssh
identification can help make tracking down issues relating to a
particular ssh package easier.

By the way, my IP is 129.63.206.105.

I disagree that this is a grave bug in any way. Luckily, this bug
isn't keeping other ssh changes out of testing.

Message #32 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Josip Rodin <joy@cibalia.gkvk.hr>

To: control@bugs.debian.org, 130876@bugs.debian.org

Subject: needless forcing of security through obscurity

Date: Sat, 26 Jan 2002 13:20:38 +0100

severity 130876 wishlist
thanks

This is not a bug. Saying that the system runs Debian won't make the system
any less secure than it already was.

-- 
     2. That which causes joy or happiness.

Message #37 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@sel.cam.ac.uk>

To: Lazarus Long <lazarus@overdue.ddts.net>, 130876@bugs.debian.org

Subject: Bug#130876: ssh: -5 discloses too much infomation to an attacker

Date: Sat, 26 Jan 2002 12:25:08 +0000

Lazarus Long writes:

 > Introduces security hole by divulging too much information to an attacker
 > about the underlying system.
 
The rationale behind this, is that there are many instances where it
is useful for a network admin to know whether the sshd on a particular
machine is secure or not - in stable, our version of sshd gives out a
version string identical to a very insecure upstream version, yet is
patched.

I reject the security-by-obscurity claim you make - attackers don't
care what OS you're running often, they just try everything on the
network. Furthermore, it is trivial [queso(8)] to find out what OS
you're running, and other programs such as Apache will say that it's
Debian. 

Besides, if version x of upstream has bug y, and Debian package x-n of
upstream version x hasn't, then what do you care if someone tries the
exploit on you?

SSH_VERSION is set at compile-time, so even if I did agree with you,
it would be rather a lot of work to make it run-time adjustable. 

Unless you can produce a more convincing argument, I intend to close
this bug. If you are dis-satisfied, you could always ask the technical
committee? 

Matthew

-- 
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org

Message #44 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Junichi Uekawa <dancer@netfort.gr.jp>

To: 130876@bugs.debian.org

Subject: untested patch against sshd

Date: Sat, 26 Jan 2002 22:16:15 +0900

The following patch may cure the problem, or whatever. I haven't checked,
and I don't have the resource right now to check.


Patch from Junichi Uekawa <dancer@debian.org> to allow for
random version strings depending on SSHD_VERSION env var.


diff -ru openssh-3.0.2p1/sshd.c openssh-3.0.2p1-patched/sshd.c
--- openssh-3.0.2p1/sshd.c	Sat Jan 26 22:08:44 2002
+++ openssh-3.0.2p1-patched/sshd.c	Sat Jan 26 22:07:55 2002
@@ -330,7 +330,10 @@
 		major = PROTOCOL_MAJOR_1;
 		minor = PROTOCOL_MINOR_1;
 	}
-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+	if (getenv("SSHD_VERSION"))
+	  snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, getenv("SSHD_VERSION"));
+	else
+	  snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
 	server_version_string = xstrdup(buf);
 
 	if (client_version_string == NULL) {



-- 
dancer@debian.org : Junichi Uekawa   http://www.netfort.gr.jp/~dancer
GPG Fingerprint : 17D6 120E 4455 1832 9423  7447 3059 BF92 CD37 56F4

Message #49 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@sel.cam.ac.uk>

To: Junichi Uekawa <dancer@netfort.gr.jp>, 130876@bugs.debian.org

Subject: Bug#130876: untested patch against sshd

Date: Sat, 26 Jan 2002 13:47:00 +0000

Junichi Uekawa writes:
 > 
 > The following patch may cure the problem, or whatever. I haven't checked,
 > and I don't have the resource right now to check.
 
Thanks for the contribution; OTOH I want Debian SSHds to report our
version correctly (like upstream does); given that we have a
considerable set of patches, I think providing the upstream
SSH_VERSION is just inaccurate. For this reason, I certainly don't
want random version strings set by people who don't understand what
they're doing - on this occasion, I feel that having to recompile the
package from source is appropriate.
 
Matthew

-- 
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org

Message #54 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

To: Lazarus Long <lazarus@overdue.ddts.net>

Cc: "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>, 130876@bugs.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#130876: Very definitely a bug, security

Date: Sat, 26 Jan 2002 19:14:15 +0100

Lazarus Long <lazarus@overdue.ddts.net> writes:

>  > severity 130876 wishlist
>  > thanks
>  > 
>  >  This is not a bug.  
>
> This is definitely a security risk.

It helps auditing a large farm of Debian machines.

For example, there is currently no reliable way to remotely tell if a
box running OpenSSH 1.2.3 is using an up-to-date Debian version with
the security fix.  An attacker will simply try all his exploits and
move to the next machine if they are unsuccesful.  The good guys can
do that, too, but they cannot be sure if they just got the offsets
wrong or something like that, so that the machine is vulnerable
despite the attack was not successful.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Message #59 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Paul Hampson <Paul.Hampson@anu.edu.au>

To: 130876@bugs.debian.org

Subject: debian-devel@l.d.o thrashing out of this "bug"

Date: Thu, 7 Feb 2002 03:48:10 +1100

[Message part 1 (text/plain, inline)]

http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg00409.html

The upshot seems to have been that it's use to an attacker
is not nearly as strong as it's use to the network admin
trying to tell if it's a security risk.

The good guys'll use the version number;
The bad guys'll attack it anyway.
-- 
===========================================================
Paul "TBBle" Hampson, MCSE
4th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au

Of course Pacman didn't influence us as kids. If it did,
we'd be running around in darkened rooms, popping pills and
listening to repetitive music.

This email is licensed to the recipient for non-commercial
use, duplication and distribution.
===========================================================

[Message part 2 (application/pgp-signature, inline)]

Message #64 received at 130876-done@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@sel.cam.ac.uk>

To: Lazarus Long <lazarus@overdue.ddts.net>, 130876-done@bugs.debian.org

Subject: Bug#130876: ssh: -5 discloses too much infomation to an attacker

Date: Sat, 9 Feb 2002 17:29:49 +0000

Matthew Vernon writes:
 > Lazarus Long writes:
 > 
 >  > Introduces security hole by divulging too much information to an attacker
 >  > about the underlying system.
<snip>
 > Unless you can produce a more convincing argument, I intend to close
 > this bug. If you are dis-satisfied, you could always ask the technical
 > committee? 

Well, I hear no disagreement, so I'm closing this bug now.

Thanks,

Matthew

-- 
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org

Message #69 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Lazarus Long <lazarus@overdue.ddts.net>

To: 130876@bugs.debian.org

Cc: control@bugs.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 02:47:33 +0000

[Message part 1 (text/plain, inline)]

reopen 130876
severity 130876 grave
thanks

As I have said in the past, this is definitely a security risk.
There is no reason that such information should be exposed to attackers.

'dpkg -l ssh' provides a Debian-specific version string, and there is no
reason this needs to be exposed to those who have no authority to access
the system.  All I have heard from the proponents of this ridiculous
claim is "ease" (which of course is the same argument for password-less
root accounts, and is equally ridiculous.)

Quoting myself:
 > /etc/issue and /etc/issue.net are conffiles, so the site admin can
 > choose to stop broadcasting information to any and all attackers that
 > may aid them in the process.  Yet ssh 1:3.0.2p1-5 intends to make that
 > irrelevant for any host running it on a public interface.  This is
                                      ^^^^^^^^^^^^^^^^^^^^^
 > a significant security hole that -5 opens, that was not open in -4,
 > and needs to be addressed ASAP.

The "public interface" phrase emphasized above will be pertinent below.


On Sat, Jan 26, 2002 at 12:25:08PM +0000, Matthew Vernon wrote:
 > 
 > Lazarus Long writes:
 > 
 >  > Introduces security hole by divulging too much information to an attacker
 >  > about the underlying system.
 >  
 > The rationale behind this, is that there are many instances where it
 > is useful for a network admin to know whether the sshd on a particular
 > machine is secure or not

Of course it is "useful," Matthew, but that admin can do so, safely
*logged in to* the machine in question, with the 'dpkg -l ssh' command
I mentioned above.  There is no need to advertise any vulnerabilities
to those *outside* the machine.

 > - in stable, our version of sshd gives out a version string identical
 > to a very insecure upstream version, yet is patched.

How is this in any way relevant?

 > I reject the security-by-obscurity claim you make - attackers don't

Again, security-by-obscurity (which you seem to be parroting from
another misinformed individual in this thread) is properly used to
refer to *source code* availability, for peer review within the crypto
community, not the specifics of any given machine's implementation.
(I refer you to my comment about "post your root password and IP address
if you think obscurity is irrelevant.")

I will include a quote at the end of this message from an appropriate
source, if this will help to further understanding.

 > care what OS you're running often, they just try everything on the
 > network. Furthermore, it is trivial [queso(8)] to find out what OS

Running queso against four different machines here returns either the
erroneous "* Standard: Solaris 2.x, Linux 2.1.???, MacOS" or else
"*- Not Listen, try another port".  None of those machines run any
of the operating systems queso reported.

 > you're running, and other programs such as Apache will say that it's
 > Debian. 

How many intended-to-be-secure machines run Apache?  Typically, a machine
will run with sshd, and *only* sshd, listening on an outward-facing
interface.  Consider the context in which this package is intended to be
deployed.  (I hadn't expected to need to explain this to the maintainer
of this particular package.)

 > Besides, if version x of upstream has bug y, and Debian package x-n of
 > upstream version x hasn't, then what do you care if someone tries the
 > exploit on you?

And what about the opposite scenario?  Debian has very recently taken
months to close a known security hole, without telling the end-users,
after all.  But again, something I hadn't thought I would need to
explain to the ssh package maintainer is that information about a given
machine (such as the fact that it runs Debian at all) gives the attacker
significant information about the system, *regardless* of whether the
ssh package itself is vulnerable or not.  ("She's running Debian?  Kewel,
that's the one with the vulnerable foo which I can now attack!"  ("foo"
being glibc recently, or some other equally widely-deployed package in
the future, perhaps?))

 > Unless you can produce a more convincing argument, I intend to close
 > this bug.

Since my own words seem to have been inadequate in the past, I'll paste
here a fair-use excerpt from the most recent book from a widely-known
and highly-regarded authority in the computer security (and crypto)
field, whom I hope you will recognize.

This excerpt is taken from p. 371f of Bruce Schneier's _Secrets and Lies,
Digital Security in a Networked World_ (Wiley and Sons, 2000)

         One of the strengths an attacker has is knowledge of the
    terrain.  Just as an army doesn't broadcast the location of its tanks,
    anti-aircraft missiles, and battalions to the enemy, there's no reason
    to broadcast your network topology to everyone that asks.  Too many
    computers respond to any query with their operating system and version
    number; there's no reason to give out this information.  Much better
    would be a login screen that reads: "Warning: Proprietary Computer.
    Use of this system constitutes consent to security monitoring.
    All user activity is logged, including the hostname and IP address."
    Let the attackers wonder if you can trace them.

        ... An attacker shouldn't know what types of equipment are running
    where, what protocols are allowed under what conditions, what ports
    are open under what conditions.  I am amazed by the number of servers,
    applications and protocols that announce themselves to the world:
    "Hello! I am randomservice V2.05."	Many hacking (sic) tools scan
    for particular versions of software running on particular machines
    ... known to have particular vulnerabilities.  If networks are
    unpredictable, attackers won't be able to wander around so freely.
    Without this kind of information, it's much harder to profile a
    target and determine what attacks to try.  It's the difference between
    walking in a sunny meadow at midday and a briar patch at midnight.

I will be forwarding a copy of this message to him (common courtesy,
after all) as well as the URL for the bug report
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=130876&repeatmerged=yes)
in the hope that he will refute any misquotation or inappropriate
editing, implication, misleading, or misinterpretation on my part.
(Any present are unintentional and solely my own responsibility.)

<off-topic> Incidentally, I highly recommend the above book, it was both
informative and entertaining, as I had expected, having read (and *then*
purchased) _Applied Cryptography_. </off-topic>

Hopefully, if my own words have been inadequate to communicate this
concept, the above well-written ones will now suffice.  The ssh package
should *assist* the admin who wants a secure machine, not *subvert*
the attempt.

 > Well, I hear no disagreement, so I'm closing this bug now.

Sigh.  (I'm not fast enough with the research behind this apparently.)

The above is disagreement for you to hear, and I'm now reopening it.

-- 
Please (OpenPGP) encrypt all mail whenever possible. Request the following
Public Keys for Lazarus Long <lazarus@overdue.ddts.net>

  Type    Bits/KeyID    Fingerprint                   DSA KeyID: vvvv vvvv
ElGamal: 2048g/CCB09D64 8270 4B79 CB1E 433B 6214  64EB 9D58 28A9 E8B1 27F4
(old 2001 keys)
ElGamal: 2048g/215A8B4A F258 C2DD 7E9C DCEB E64F  82EC D4BB 3438 8B82 A392

[Message part 2 (application/pgp-signature, inline)]

Message #78 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

To: Lazarus Long <lazarus@overdue.ddts.net>

Cc: 130876@bugs.debian.org,  @CERT.Uni-Stuttgart.DE, debian-security@lists.debian.org

Subject: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 17:36:46 +0100

Lazarus Long <lazarus@overdue.ddts.net> writes:

> As I have said in the past, this is definitely a security risk.

No, it isn't.  The fact that the SSH protocol encourages implementors
to exhibit version numbers has helped us greatly while recovering from
the catastrophic buffer overflow bug.

> Of course it is "useful," Matthew, but that admin can do so, safely
> *logged in to* the machine in question, with the 'dpkg -l ssh' command
> I mentioned above.  There is no need to advertise any vulnerabilities
> to those *outside* the machine.

But there is.  Your local CERT might want to warn you that you are
running a vulnerable implementation of a network service.

We regularly disconnect Debian/timetravel systems because the version
identification of a service suggests that they are still running a
vulnerable version.  That's tough luck for Debian users, but better be
safe than sorry.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Message #83 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Alex Pennace <alex@pennace.org>

To: Lazarus Long <lazarus@overdue.ddts.net>

Cc: 130876@bugs.debian.org, control@bugs.debian.org, debian-security@lists.debian.org

Subject: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 11:57:37 -0500

On Sun, Feb 10, 2002 at 02:47:11AM +0000, Lazarus Long wrote:
> As I have said in the past, this is definitely a security risk.
> There is no reason that such information should be exposed to attackers.

We may as well take down the debian.org web pages, since they expose a
wealth of information to attackers.

> 'dpkg -l ssh' provides a Debian-specific version string, and there is no
> reason this needs to be exposed to those who have no authority to access
> the system.  All I have heard from the proponents of this ridiculous
> claim is "ease" (which of course is the same argument for password-less
> root accounts, and is equally ridiculous.)

Interesting idea. Do you have scripts that will log in to a list of
machines and run dpkg -l ssh, parse the output and produce a report?

>  > I reject the security-by-obscurity claim you make - attackers don't
> 
> Again, security-by-obscurity (which you seem to be parroting from
> another misinformed individual in this thread) is properly used to
> refer to *source code* availability, for peer review within the crypto
> community, not the specifics of any given machine's implementation.
> (I refer you to my comment about "post your root password and IP address
> if you think obscurity is irrelevant.")

In <20020126063624.GA5781@buick.pennace.org>, I said: "Passwords are
successfully obscure because there are lots of them. There are not
nearly enough seperate flavors of ssh to help obscurity. An attacker
could iterate through all known attacks against SSH once he has found
your machine. Hard to iterate through billions of possible passwords.

In that same message, I posted my IP address because obscuring it
would be unsuccessful. Within 24 hours of posting it, ORBZ tested my
machine. Nothing else happened.

>  > you're running, and other programs such as Apache will say that it's
>  > Debian. 
> 
> How many intended-to-be-secure machines run Apache?  Typically, a machine
> will run with sshd, and *only* sshd, listening on an outward-facing
> interface.  Consider the context in which this package is intended to be
> deployed.  (I hadn't expected to need to explain this to the maintainer
> of this particular package.)

I know plenty of "intended-to-be-secure" machines that run Apache.

Message #88 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@sel.cam.ac.uk>

To: Lazarus Long <lazarus@overdue.ddts.net>, 130876@bugs.debian.org

Cc: control@bugs.debian.org, debian-security@lists.debian.org

Subject: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 18:26:17 +0000

retitle 130876 Sending server software version information should be optional
severity 130876 wishlist
quit

I'll get back to you in more detail when I have time, but in the mean
time - if you want to produce and maintain (since I'm damn sure
upstream wouldn't want to know) a patch that creates a configuration
option enabling the server to produce only the parts of the version
string required by the RFC (which is in /usr/share/doc/ssh) and
nothing more, I'm prepared to incorporate it. The default should be to
display what the package *currently* does. call it -O
'SecurityByObscurity yes' or something.

Matthew

-- 
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org

Message #95 received at 130876-submitter@bugs.debian.org (full text, mbox, reply):

From: "Jonathan D. Amery" <jdamery@chiark.greenend.org.uk>

To: 130876-submitter@bugs.debian.org

Subject: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 18:28:58 +0000 (GMT)

`Lazarus Long' said:
> Of course it is "useful," Matthew, but that admin can do so, safely
> *logged in to* the machine in question, with the 'dpkg -l ssh' command
> I mentioned above.  There is no need to advertise any vulnerabilities
> to those *outside* the machine.

 You appear to neglect the case where the site administration is
seperate from machine administration.

>  > I reject the security-by-obscurity claim you make - attackers don't
>
> Again, security-by-obscurity (which you seem to be parroting from
> another misinformed individual in this thread) is properly used to
> refer to *source code* availability, for peer review within the crypto
> community, not the specifics of any given machine's implementation.

 The term `secureity-by-obscurity' is used to refer to a whole range of
usages of this princible - not merely those that you state.

> (I refer you to my comment about "post your root password and IP address
> if you think obscurity is irrelevant.")

 I'd be happy - but I don't think that 172.16.22.68 would really help you
:-).

> How many intended-to-be-secure machines run Apache? 

 Many webservers, and machines that are incidentally webservers.

> ("She's running Debian?  Kewel, that's the one with the vulnerable foo
> which I can now attack!"  ("foo" being glibc recently, or some other
> equally widely-deployed package in the future, perhaps?))

 A remote-root-glibc exploit?  Interesting...

 Also, by your own argument you're only running ssh on the outwards facing
side...

 And to end I refer you to the words of another contributer to this
discussion:

#
#http://lists.debian.org/debian-devel/2002/debian-devel-200202/msg00409.html
#
#The upshot seems to have been that it's use to an attacker
#is not nearly as strong as it's use to the network admin
#trying to tell if it's a security risk.
#
#The good guys'll use the version number;
#The bad guys'll attack it anyway.
#

(not that I've had chance to read that myself - but you haven't replied to
it...)

-- 
Jonathan Amery.      I'll fear not what men say,
   #####             I'll labour night and day
  #######__o            To be a pilgrim.
  #######'/                                                - Percy Dearmer

Message #100 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Wichert Akkerman <wichert@wiggy.net>

To: debian-security@lists.debian.org, 130876@bugs.debian.org

Subject: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 20:46:43 +0100

Previously Matthew Vernon wrote:
> retitle 130876 Sending server software version information should be optional

I'm not sure I agree with that: that easily leads to the configurable
version response option that was discussed on openssh-dev recently where
it was concluded that is not a good idea.

Wichert.

-- 
  _________________________________________________________________
 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Message #105 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@sel.cam.ac.uk>

To: Wichert Akkerman <wichert@wiggy.net>, 130876@bugs.debian.org

Cc: debian-security@lists.debian.org

Subject: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 20:00:54 +0000

Wichert Akkerman writes:
 > Previously Matthew Vernon wrote:
 > > retitle 130876 Sending server software version information should be optional
 > 
 > I'm not sure I agree with that: that easily leads to the configurable
 > version response option that was discussed on openssh-dev recently where
 > it was concluded that is not a good idea.

I'm not sure it's a good idea either. I suspect Lazarus won't accept
the status quo, however.

Matthew

-- 
Rapun.sel - outermost outpost of the Pick Empire
http://www.pick.ucam.org

Message #110 received at 130876@bugs.debian.org (full text, mbox, reply):

From: adric@debian.org

To: 130876@bugs.debian.org

Subject: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

Date: Sun, 10 Feb 2002 22:50:19 GMT

> > I'm not sure I agree with that: that easily leads to the configurable
> > version response option that was discussed on openssh-dev recently where
> > it was concluded that is not a good idea.
> 
> I'm not sure it's a good idea either. I suspect Lazarus won't accept
> the status quo, however.

For whatever it's worth, I think that the current situation is correct.  Lazarus
won't like it, granted, but it's hardly the first time that not everyone could
be pleased.

Just my 2 cents worth...

Message #115 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Eduardo Pérez <100018135@alumnos.uc3m.es>

To: 130876@bugs.debian.org

Subject: Re: Bug#130876: Very definitely a bug, security

Date: Mon, 25 Feb 2002 10:25:26 +0000

I agree with Lazarus Long <lazarus@overdue.ddts.net>

Please don't confuse Security Through Obscurity with this.

Security Through Obscurity is the practice of hiding the algorithm
used to secure a machine

This practice is securing a box by not telling the attacker the information he
wants to crack the machine.

If the maintainer wants to know what version of ssh his network is using
the login the server and get the version from the shell.

There shouldn't be any problem by sending the version to anyone.
But 'to call for problems' is not a good idea neither.

Message #120 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

To: Eduardo Pérez <100018135@alumnos.uc3m.es>

Cc: 130876@bugs.debian.org

Subject: Re: Bug#130876: Very definitely a bug, security

Date: Fri, 01 Mar 2002 18:05:41 +0100

Eduardo Pérez <100018135@alumnos.uc3m.es> writes:

> If the maintainer wants to know what version of ssh his network is using
> the login the server and get the version from the shell.

This is not always possible.  I'm (sort of) responsible for a
substantial number of hosts.  Of course, I don't have interactive
login on most of these hosts, so being able to query the version
remotely is of paramount importance.  If the SSH daemon had not
announced its version number (in addition to the protocol version), we
certainly would have a few hundred compromised hosts instead of just a
dozen or so.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Message #125 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Josip Rodin <joy@cibalia.gkvk.hr>

To: 130876@bugs.debian.org

Subject: comments on some incoherent things

Date: Sun, 3 Mar 2002 20:17:11 +0100

Hi,

Lazarus Long wrote:
> the fact that it runs Debian at all gives the attacker significant
> information about the system, *regardless* of whether the ssh package
> itself is vulnerable or not. ("She's running Debian?  Kewel, that's the
> one with the vulnerable foo which I can now attack!" ("foo" being glibc
> recently, or some other equally widely-deployed package in the future,
> perhaps?))

If there is such a remote exploit, it doesn't matter if the attacker finds
out about it through ssh or simply by testing if it works!

Not saying it runs Debian could only spare systems of a minute of
portscanning and probing, which is no consolation if the machine is
vulnerable to a remote exploit.

Eduardo Pérez wrote:
> But 'to call for problems' is not a good idea neither.

This is a fraction more calling for trouble than putting a machine on the
Internet.

This bug should be closed.

-- 
     2. That which causes joy or happiness.

Message #142 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Matthew Sachs <matthewg@zevils.com>

To: 130876@bugs.debian.org

Subject: Patch to add configuration option

Date: Tue, 6 Aug 2002 14:21:36 -0400

Tags: patch

I've created a patch which makes this behavior controllable by the
user.  The patch is at:
	http://www.zevils.com/~matthewg/version-exchange-verbosity.diff

See bug #155669 for my initial description of the patch.  I've since
modified the patch to change the name of the option to
RevealVersionInfo, and the valid settings are now 'none', 'terse', and
'verbose'.  The default, verbose, reflects the package's current
behavior.

Whether you agree with the current behavior or not, there is obviously
disagreement over it, and so the best solution is to create a
configuration option.  This patch doesn't affect people who want the
status quo and provides the admin who wants to change it with the
ability to do so.

I am willing to maintain this patch; however, it probably belongs
upstream, the Debian-specificness of 'verbose' notwithstanding.

Message #147 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

To: Matthew Sachs <matthewg@zevils.com>

Cc: 130876@bugs.debian.org

Subject: Re: Bug#130876: Patch to add configuration option

Date: Wed, 07 Aug 2002 08:38:26 +0200

Matthew Sachs <matthewg@zevils.com> writes:

> I've created a patch which makes this behavior controllable by the
> user.  The patch is at:
> 	http://www.zevils.com/~matthewg/version-exchange-verbosity.diff
>
> See bug #155669 for my initial description of the patch.  I've since
> modified the patch to change the name of the option to
> RevealVersionInfo, and the valid settings are now 'none', 'terse', and
> 'verbose'.  The default, verbose, reflects the package's current
> behavior.

"none" can break client connections (the OpenSSH source code already
contains numerous workarounds which are enabled based on the version
number).

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

Message #156 received at 130876@bugs.debian.org (full text, mbox, reply):

From: Est. Ana Belen Jimbo Muñoz <ajimbom1@est.ups.edu.ec>

To: Est. Ana Belen Jimbo Muñoz <ajimbom1@est.ups.edu.ec>

Subject: FW

Date: Sat, 11 Apr 2020 20:50:34 +0000

[Message part 1 (text/plain, inline)]

Sent: Sunday, April 12, 2020 2:07 AM
Subject: Hey

Hey,
I would like to discuss with you.
email: shcotton3@hotmail.com<mailto:shcotton3@hotmail.com>
Ms Shannon

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.