Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security

To: Lazarus Long <lazarus@overdue.ddts.net>
Cc: 130876@bugs.debian.org, control@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
From: Alex Pennace <alex@pennace.org>
Date: Sun, 10 Feb 2002 11:57:37 -0500
Message-id: <[🔎] 20020210165737.GA11703@buick.pennace.org>
Mail-followup-to: Lazarus Long <lazarus@overdue.ddts.net>, 130876@bugs.debian.org, control@bugs.debian.org, debian-security@lists.debian.org
In-reply-to: <[🔎] 20020210024733.GA13568@overdue.ddts.net>
References: <20020126012313.320AD73061@phoenix.overdue.net> <15442.40996.468859.65980@rapun.sel.cam.ac.uk> <[🔎] 20020210024733.GA13568@overdue.ddts.net>

On Sun, Feb 10, 2002 at 02:47:11AM +0000, Lazarus Long wrote:
> As I have said in the past, this is definitely a security risk.
> There is no reason that such information should be exposed to attackers.

We may as well take down the debian.org web pages, since they expose a
wealth of information to attackers.

> 'dpkg -l ssh' provides a Debian-specific version string, and there is no
> reason this needs to be exposed to those who have no authority to access
> the system.  All I have heard from the proponents of this ridiculous
> claim is "ease" (which of course is the same argument for password-less
> root accounts, and is equally ridiculous.)

Interesting idea. Do you have scripts that will log in to a list of
machines and run dpkg -l ssh, parse the output and produce a report?

>  > I reject the security-by-obscurity claim you make - attackers don't
> 
> Again, security-by-obscurity (which you seem to be parroting from
> another misinformed individual in this thread) is properly used to
> refer to *source code* availability, for peer review within the crypto
> community, not the specifics of any given machine's implementation.
> (I refer you to my comment about "post your root password and IP address
> if you think obscurity is irrelevant.")

In <20020126063624.GA5781@buick.pennace.org>, I said: "Passwords are
successfully obscure because there are lots of them. There are not
nearly enough seperate flavors of ssh to help obscurity. An attacker
could iterate through all known attacks against SSH once he has found
your machine. Hard to iterate through billions of possible passwords.

In that same message, I posted my IP address because obscuring it
would be unsuccessful. Within 24 hours of posting it, ORBZ tested my
machine. Nothing else happened.

>  > you're running, and other programs such as Apache will say that it's
>  > Debian. 
> 
> How many intended-to-be-secure machines run Apache?  Typically, a machine
> will run with sshd, and *only* sshd, listening on an outward-facing
> interface.  Consider the context in which this package is intended to be
> deployed.  (I hadn't expected to need to explain this to the maintainer
> of this particular package.)

I know plenty of "intended-to-be-secure" machines that run Apache.

Reply to:

References:
- Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
  - From: Lazarus Long <lazarus@overdue.ddts.net>

Prev by Date: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
Next by Date: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
Previous by thread: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
Next by thread: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
Index(es):
- Date
- Thread