Latest SSH?
Georgi Alexandrov
g.alexandrov at bgservice.net
Mon Mar 29 04:50:53 PST 2004
Matthew Seaman wrote:
>On Mon, Mar 29, 2004 at 10:32:42AM +0100, Danny Woods wrote:
>
>
>>Hi all,
>>
>>I upgraded from 5.1 to 5.2.1p3 over the weekend, and finished off with a Nessus
>>scan to check that ssh was the only port visible to the outside world. Despite
>>a recent (i.e. last Thursday) cvsup to sync the source tree, I'm getting a
>>high severity warning about a hole in SSH based on the version number reported
>>(3.6.1p1 FreeBSD-20030924). I'm using the core ssh, not the version from ports.
>>Does anyone know if this problem is real, or a false-positive?
>>
>>
>
>It's false. I assume it's complaining about the problems described in
>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:15.openssh.asc
>as that's the last OpenSSH advisory published. (Not to be confused
>with the recent OpenSSL advisory). The security patches supplied fix
>the vulnerabilities, but they generally don't do that by supplying a
>whole new version of an application. Import of new versions of such
>things as OpenSSH will only happen on one of the development branches
>-- ie. HEAD (5-CURRENT) or RELENG_4 (4.9-STABLE), so RELENG_5_2 will
>stick with OpenSSH-3.6.1p1 and you'll have to wait until RELENG_5_3 in
>order to upgrade to OpenSSH-3.8p1 (or whatever the OpenSSH version is
>by the time 5.3-RELEASE comes out).
>
>
>
>>As an aside, can sshd be prevented from reporting its version number on
>>connect, or is this something that a client-app needs to know?
>>
>>
>
>The client app needs to know the version of the SSH protocol you're
>running -- that it gets from the 'SSH-1.99' part at the beginning of
>the banner ssh emits when you connect to port 22. The rest of what's
>printed there is not so important. Apart from the 'version addendum'
>part, you'ld have to hack the source code and recompile to chage
>what's printed.
>
> Cheers,
>
> Matthew
>
>
>
you can also change the version sshd displays by editing carefuly the
binary (vi `which sshd`) directly with a suitable editor, you can just
replace 3.6.1p1 with 3.8.1p1 there and restart sshd (killall -HUP sshd).
But my opinion is that will just give you a false state of security, as
a script kiddie could just ./run all of his exploits not looking at the
version of your sshd. A good thing is to bind sshd to different port
(higher) like 45622 for example which would probably avoid automatic
scans of the network... Be creative! ;-)
regards,
Georgi Alexandrov
More information about the freebsd-questions
mailing list