From: Josh F. <jf...@pv...> - 2005-03-01 20:26:17
|
That is not a security violation if sent after authentication. I agree that sending version info in the clear makes it easier for an attacker to quickly search for machines with a vulnerable daemon, but requiring authentication first takes that quick search away, (sort of). He is still going to find the machines with an open port very quickly. However, now he has to either have a key or be able to break the daemon during authentication. If he has a key and can authenticate, then, well, it doesn't matter what version it is. If he has an exploit for a particular version(s), then he can try it without knowing the version of the daemon he is attacking. Sending the version info after authentication makes it of no use to the random remote attacker. It's only of use to those who see the report. ---Josh Joshua Kugler wrote: >On Tuesday 01 March 2005 08:53, Kern Sibbald wrote: > > >>Hello, >> >>We have received the following feature request to have the Clients return >>their version to be printed in the Job report, which I think is a good idea >>-- at least it would help with support requests. >> >>The problem I have with this request, and the reason I am sending this for >>your comments, is that in general, transmitting version information is a >>security violation. However, in this case, the information would only be >>transmitted after authentication. >> >>Comments? >> >>Best regards, Kern >> >> > >Well, in general I suppose it is a security violation, but someone needs to >tell the OpenSSH group that: > >[joshua@otter ~]$ telnet localhost 22 >Trying 127.0.0.1... >Connected to ad.doubleclick.net (127.0.0.1). >Escape character is '^]'. >SSH-2.0-OpenSSH_3.9p1 >^] >telnet> quit >Connection closed. >[joshua@otter ~]$ > >It would help in support requests, and it would not allow any information >gathering as a prelude to an attack, since it would only be sent after >authentication. Would this require modifications to the protocol? I've >surprised it's not sent already, as it seems you would check versions to make >sure director/client are compatible. > >I think this would be a good feature since it would 1) help with support >requests, as was stated, and 2) lessen legwork by the admins since they >wouldn't have to manually check versions for all the clients. I don't see it >as being a security problem since the director is already authenticated, so >can't be used for information gathering (unless of course someone is sniffing >your network, in which case you have other problems). > >So, in short, go for it. > >j----- k----- > > > > |