Re: [Bacula-users] Feature request

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

That is not a security violation if sent after authentication. I agree 
that sending version info in the clear makes it easier for an attacker 
to quickly search for machines with a vulnerable daemon, but requiring 
authentication first takes that quick search away, (sort of). He is 
still going to find the machines with an open port very quickly. 
However, now he has to either have a key or be able to break the daemon 
during authentication. If he has a key and can authenticate, then, well, 
it doesn't matter what version it is. If he has an exploit for a 
particular version(s), then he can try it without knowing the version of 
the daemon he is attacking. Sending the version info after 
authentication makes it of no use to the random remote attacker. It's 
only of use to those who see the report.

---Josh

Joshua Kugler wrote:

>On Tuesday 01 March 2005 08:53, Kern Sibbald wrote:
>  
>
>>Hello,
>>
>>We have received the following feature request to have the Clients return
>>their version to be printed in the Job report, which I think is a good idea
>>-- at least it would help with support requests.
>>
>>The problem I have with this request, and the reason I am sending this for
>>your comments, is that in general, transmitting version information is a
>>security violation. However, in this case, the information would only be
>>transmitted after authentication.
>>
>>Comments?
>>
>>Best regards, Kern
>>    
>>
>
>Well, in general I suppose it is a security violation, but someone needs to 
>tell the OpenSSH group that:
>
>[joshua@otter ~]$ telnet localhost 22
>Trying 127.0.0.1...
>Connected to ad.doubleclick.net (127.0.0.1).
>Escape character is '^]'.
>SSH-2.0-OpenSSH_3.9p1
>^]
>telnet> quit
>Connection closed.
>[joshua@otter ~]$
>
>It would help in support requests, and it would not allow any information 
>gathering as a prelude to an attack, since it would only be sent after 
>authentication.  Would this require modifications to the protocol?  I've 
>surprised it's not sent already, as it seems you would check versions to make 
>sure director/client are compatible.
>
>I think this would be a good feature since it would 1) help with support 
>requests, as was stated, and 2) lessen legwork by the admins since they 
>wouldn't have to manually check versions for all the clients.  I don't see it 
>as being a security problem since the director is already authenticated, so 
>can't be used for information gathering (unless of course someone is sniffing 
>your network, in which case you have other problems).
>
>So, in short, go for it.
>
>j----- k-----
>
>
>  
>