Re: When SSH standards noncompliance is a "feature"

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> [...ssh banner...]

> However it seems like some security auditors, or more likely the
> security audit tool they charge thousands of dollars to run on your
> behalf on your network, has decided that this is a vulnerability, and
> as a result truncate the SSH ID after the protocol version.

Hmm?  This sounds as though you start off talking about an auditing
tool and then end up talking about some kind of live traffic filtering
tool.

> In other words they've come up with the brilliant idea of modifying
> the SSH handshake to not implement the SSH protocol correctly any
> more but still expect clients to connect to it... and oddly enough
> most clients do (Filezilla was the example I was given that found
> nothing wrong with this invalid SSH ID).

Brilliant, indeed.  (Heavy sarcasm there, for those to whom it's not
obvious.)

I'm going to make moussh clearly diagnose such invalidity as such.
I'll have to look to see whether it catches it at all at the moment; I
may have been lazy when writing the banner parser code.

For that matter, github(!) has dropped support for the mandatory kex
methods.  Apparently they too consider breaking interoperability to be
a feature.

Imminent balkanization of the net predicted - film at 11. :-/

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B