Debian Bug report logs - #774410
allow for the package-specific version banner to be suppressed for ssh client

version graph

Package: openssh-client; Maintainer for openssh-client is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-client is src:openssh (PTS, buildd, popcon).

Reported by: Fedor Brunner <fedor.brunner@azet.sk>

Date: Fri, 2 Jan 2015 10:21:07 UTC

Severity: wishlist

Tags: patch

Merged with 774411

Found in version openssh/1:6.7p1-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#774410; Package openssh-client. (Fri, 02 Jan 2015 10:21:12 GMT) (full text, mbox, link).

Acknowledgement sent to Fedor Brunner <fedor.brunner@azet.sk>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Fri, 02 Jan 2015 10:21:12 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Fedor Brunner <fedor.brunner@azet.sk>
To: submit@bugs.debian.org
Subject: allow for the package-specific version banner to be suppressed for ssh client
Date: Fri, 02 Jan 2015 11:14:21 +0100
[Message part 1 (text/plain, inline)]
Package: openssh-client
Version: 1:6.7p1-3
Severity: wishlist
Tags: patch

Hi,
it should be possible to suppress the exact package version of
openssh that is reported during the initial protocol handshake
also for ssh client.

Similar bug was fixed for SSH server
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562048

This patch adds DebianBanner option also to ssh_config. The behavior is
the same as DebianBanner in sshd_config.

Thanks,
Fedor


[debianbanner_client.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#774410; Package openssh-client. (Fri, 02 Jan 2015 12:24:38 GMT) (full text, mbox, link).

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Fri, 02 Jan 2015 12:24:38 GMT) (full text, mbox, link).

Message #10 received at 774410@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: Fedor Brunner <fedor.brunner@azet.sk>, 774410@bugs.debian.org
Subject: Re: Bug#774410: allow for the package-specific version banner to be suppressed for ssh client
Date: Fri, 2 Jan 2015 12:23:06 +0000
Control: merge 774410 774411

On Fri, Jan 02, 2015 at 11:14:21AM +0100, Fedor Brunner wrote:
> it should be possible to suppress the exact package version of
> openssh that is reported during the initial protocol handshake
> also for ssh client.

This sort of patch carries an ongoing maintenance burden (and not an
entirely trivial one; patches to the configuration-reading code normally
conflict and require manual resolution when upgrading to new upstream
versions), so you're going to have to make the case for why it's
important in practice to conceal the client version.  While I'm not
wholly convinced that concealing the server version is interesting or
valuable, surely vulnerabilities in that direction are orders of
magnitude more common.

-- 
Colin Watson                                       [cjwatson@debian.org]

Merged 774410 774411 Request was from Colin Watson <cjwatson@debian.org> to 774410-submit@bugs.debian.org. (Fri, 02 Jan 2015 12:24:38 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#774410; Package openssh-client. (Fri, 02 Jan 2015 15:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Fedor Brunner <fedor.brunner@azet.sk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Fri, 02 Jan 2015 15:09:05 GMT) (full text, mbox, link).

Message #17 received at 774410@bugs.debian.org (full text, mbox, reply):

From: Fedor Brunner <fedor.brunner@azet.sk>
To: Colin Watson <cjwatson@debian.org>, 774410@bugs.debian.org
Subject: Re: Bug#774410: allow for the package-specific version banner to be suppressed for ssh client
Date: Fri, 02 Jan 2015 15:56:56 +0100
On 02.01.2015 13:23, Colin Watson wrote:
> Control: merge 774410 774411
> 
> On Fri, Jan 02, 2015 at 11:14:21AM +0100, Fedor Brunner wrote:
>> it should be possible to suppress the exact package version of
>> openssh that is reported during the initial protocol handshake
>> also for ssh client.
> 
> This sort of patch carries an ongoing maintenance burden (and not an
> entirely trivial one; patches to the configuration-reading code normally
> conflict and require manual resolution when upgrading to new upstream
> versions), so you're going to have to make the case for why it's
> important in practice to conceal the client version.  While I'm not
> wholly convinced that concealing the server version is interesting or
> valuable, surely vulnerabilities in that direction are orders of
> magnitude more common.
> 

I understand that there is maintenance burden with each
configuration-reading code, but this burden is already there for
DebianBanner in sshd_config .

The main use case for this switch is an user that wants to protect his
privacy and don't want tell with each SSH connection which Debian (or
Debian derivative) is he using.
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1195342/

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#774410; Package openssh-client. (Tue, 06 Jan 2015 14:48:14 GMT) (full text, mbox, link).

Acknowledgement sent to Matthew Vernon <matthew@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Tue, 06 Jan 2015 14:48:14 GMT) (full text, mbox, link).

Message #22 received at 774410@bugs.debian.org (full text, mbox, reply):

From: Matthew Vernon <matthew@debian.org>
To: Fedor Brunner <fedor.brunner@azet.sk>, 774410@bugs.debian.org
Subject: Re: Bug#774410: allow for the package-specific version banner to be suppressed for ssh client
Date: 06 Jan 2015 14:45:54 +0000
Fedor Brunner <fedor.brunner@azet.sk> writes:

> The main use case for this switch is an user that wants to protect his
> privacy and don't want tell with each SSH connection which Debian (or
> Debian derivative) is he using.
> https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1195342/

This doesn't seem a very great benefit to me, and I'd agree with Colin
that is doesn't seem likely to be worth the extra maintenance burden
of carrying another patch vs upstream.

Regards,

Matthew 

-- 
"At least you know where you are with Microsoft."
"True. I just wish I'd brought a paddle."
http://www.debian.org

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#774410; Package openssh-client. (Sun, 16 Aug 2015 19:51:08 GMT) (full text, mbox, link).

Acknowledgement sent to ambitiousjumper@sigaint.org:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (Sun, 16 Aug 2015 19:51:08 GMT) (full text, mbox, link).

Message #27 received at 774410@bugs.debian.org (full text, mbox, reply):

From: ambitiousjumper@sigaint.org
To: 774410@bugs.debian.org
Subject: Re: Bug#774410: allow for the package-specific version banner to be suppressed for ssh client
Date: Sun, 16 Aug 2015 19:19:34 -0000
Broadcasting the client version is a serious privacy issue for those up
against a network-level adversary (China/Iran activists, anybody GCHQ/NSA
doesn't like). The important issue is timing correlation.

Example:

A) Activist creates anonymous website, uses SSH-over-TOR to update his
website.
B) Network-level adversary monitors network around his website, sees the
activist is using SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1.
C) Activist updates SSH through apt-get dist-upgrade using his real IP.
D) Activist updates his website using SSH-over-TOR.
E) Network-level adversary now sees he is using SSH-2.0-OpenSSH_6.0p1
Debian-4+deb7u2.
F) Network-level adversary checks their captured network data to see who
downloaded the Debian-4+deb7u2 deb from security.debian.org or other
mirrors during that time.

There are other variations that don't require the adversary to monitor the
traffic to the package mirrors. Example:

A) Activist visits state run news site using his real IP.
B) Activist uses SSH-over-TOR to write rebuttals to each news item.
C) Network-level adversary sees when he upgrades his SSH version.
D) Network-level adversary correlates that with visitors to their news
site whose User-Agent version changed around the same time (of course
limiting it to Debian users since for some reason the User-Agent strings
report that).

Even a traditional police adversary could use time correlation with no
network monitoring needed. Seize the server, seize a suspect's TAILS CD,
use /var/log/auth.log on the server to match the SSH client upgrade time
with the timestamp the TAILS CD was burned.

I'm sure there are many more but you get the idea. Leaking any information
about the OS or package versions should always be avoided. Even if you
can't think of a scenario that would abuse it does not mean that scenario
doesn't exist.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Mar 25 16:51:39 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.