IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
When SSH standards noncompliance is a "feature"
So RFC 4253 says:
When the connection has been established, both sides MUST send an
identification string. This identification string MUST be
SSH-protoversion-softwareversion SP { comments - optional } CR LF
However it seems like some security auditors, or more likely the security
audit tool they charge thousands of dollars to run on your behalf on your
network, has decided that this is a vulnerability, and as a result truncate
the SSH ID after the protocol version. In other words they've come up with
the brilliant idea of modifying the SSH handshake to not implement the SSH
protocol correctly any more but still expect clients to connect to it... and
oddly enough most clients do (Filezilla was the example I was given that found
nothing wrong with this invalid SSH ID).
My suggestion was that whoever came up with standards noncompliance as a
security feature be killed and then eaten to prevent them from coming back
again as a zombie.
(Actually my first suggestion was going to be that if they're so keen to use
standards noncompliance as a security feature then why don't they invent their
own incompatible security protocol and then nothing can connect and they'll be
perfectly secure, but there's a limit to how sarcastic you can be with
clients).
Peter.
Home |
Main Index |
Thread Index |
Old Index