ssh(d) identification string in portable (clarification)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Aug 9 09:56:46 AEST 2016


On Mon 2016-08-08 19:50:04 -0400, Darren Tucker wrote:
> On Tue, Aug 9, 2016 at 7:21 AM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net> wrote:
> [...]
>> That seems like a pretty clear intent.  (and fwiw, i think it's the
>> right thing to do)
>
> There is the VersionAddendum sshd_config option however it prepends a
> space.  Perhaps it shouldn't, and anything that actually wants the
> space can supply that itself (ie 'VersionAddendum p2' vs
> 'VersionAddendum
> " someotherstring"').

sounds reasonable to me.

> IMO a security tool taking the over-the-wire banner as the
> authoritative test about whether a problem does or does not exist
> isn't wise.

For defensive purposes, i agree that there are far too many ways for
this to go wrong or to be spoofed to try to rely on it.  For offensive
purposes, these sorts of scans are sadly fairly effective at turning up
unpatched software.  iow, if you're looking for certainty that things
are fixed, it's not enough to be sure.  But if you're looking for likely
victims, it's a handy tool. :/

          --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160808/8fd939e7/attachment.bin>


More information about the openssh-unix-dev mailing list