On 03.03.21 20:47, Stef Bon wrote: > Op ma 22 feb. 2021 om 10:56 schreef Jochen Bern <Jochen.Bern@xxxxxxxxx>: >> My - admittedly first ever - thoughts on that: >> -- Doesn't OpenSSH already parse the peer's Hello String for that >> purpose? > > No as I know it that is only the software and version, not the os, Well, yes, because to "meet the peer's flaws and maybe bugs", as you put it, ssh and sshd would need to be able to *do something about them*, and what these pieces of software do is to handle the SSH protocol, not to (random example) second-guess what the behavior of the peer's OS is WRT reassembly of overlapping TCP fragments. Or am I just not thinking of the same sort of "purely OS-level flaws and bugs" as you are? >> -- osf can also differ from defaults (own fingerprint files being >> loaded, --ttl param etc.) > > Huh what do you mean Jochen? You know something about this software? I had a look at my local iptables-extensions manpage, which offers me three different --ttl levels to modify osf's behavior and strongly suggests that I am to specify rules in terms of "genres" and other terms *derived* from the actual fingerprint as per the local fingerprints file. (I.e., when you look at a fingerprint in that file like: > 32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine then the strictly formatted *left* hand side corresponds to the actual test result but the *right* hand side is what I can have the iptables rules match; have someone edit the fingerprint file to introduce an earlier match named "MumbleFoo stupid middleboxes" and you'll never see a "Spirent" reported again.) By the way, you might want to look at the upstream maintainers' CVS log http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os for some choice comments, like with release 1.25. :-3 Regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
