On Mon 2016-08-08 19:50:04 -0400, Darren Tucker wrote:
> On Tue, Aug 9, 2016 at 7:21 AM, Daniel Kahn Gillmor
> <dkg@xxxxxxxxxxxxxxxxx> wrote:
> [...]
>> That seems like a pretty clear intent. (and fwiw, i think it's the
>> right thing to do)
>
> There is the VersionAddendum sshd_config option however it prepends a
> space. Perhaps it shouldn't, and anything that actually wants the
> space can supply that itself (ie 'VersionAddendum p2' vs
> 'VersionAddendum
> " someotherstring"').
sounds reasonable to me.
> IMO a security tool taking the over-the-wire banner as the
> authoritative test about whether a problem does or does not exist
> isn't wise.
For defensive purposes, i agree that there are far too many ways for
this to go wrong or to be spoofed to try to rely on it. For offensive
purposes, these sorts of scans are sadly fairly effective at turning up
unpatched software. iow, if you're looking for certainty that things
are fixed, it's not enough to be sure. But if you're looking for likely
victims, it's a handy tool. :/
--dkg
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
