Mailing List Archive

On Sun, 21 Feb 2021 at 16:45, Stef Bon <stefbon@gmail.com> wrote:
> If this information is available it's possible to adjust behaviour (a
> little) to meet the peer's flaws and maybe bugs. Have you ever thought
> about that?

a) that's quite platform specific and b) even if you got the
information I doubt it would be of use. The operating system is at
best a weak indicator of what the peer SSH implementation is, and the
implementations are where the bugs/flaws you would potentially want to
work around are.

Multiple SSH implementations run on Linux. Dropbear has been ported
to many of the same platforms as OpenSSH and often the choice is up to
each individual user. PuTTY is probably the most popular SSH client
implementation on Windows, but OpenSSH has also been ported to Windows
multiple times in multiple ways; by the same token PuTTY has been
ported to many Unix variants including Linux.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 2021/02/21 06:37, Stef Bon wrote:
> Hi,
>
> in the iptables subsystem of Linux it's possible to get the
> fingerprint of the peer OS.
> See:
>
> man iptables-extensions
> under osf
>
> If this information is available it's possible to adjust behaviour (a
> little) to meet the peer's flaws and maybe bugs. Have you ever thought
> about that?
>
> Stef
> the Netherlands
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

If you want to make use of this information, you can redirect to different
ports depending on the OS type, and run multiple sshd instances with
different configuration. I can't really think of anything you might want
to do with it though (other than outright blocking access from unwanted
/ unexpected OS)..
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 21.02.21 06:37, Stef Bon wrote:
> Hi,
>
> in the iptables subsystem of Linux it's possible to get the
> fingerprint of the peer OS.
> See:
>
> man iptables-extensions
> under osf
>
> If this information is available it's possible to adjust behaviour (a
> little) to meet the peer's flaws and maybe bugs. Have you ever thought
> about that?

My - admittedly first ever - thoughts on that:

-- Doesn't OpenSSH already parse the peer's Hello String for that
purpose?
-- (The possibility of SSH software other than the OS default being
installed has already been mentioned)
-- osf can also differ from defaults (own fingerprint files being
loaded, --ttl param etc.)
-- Just because the kernel('s iptables implementation) has that info
doesn't mean that ssh(d) can easily get it
-- Not to forget non-Linux systems ...

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH

Op ma 22 feb. 2021 om 10:56 schreef Jochen Bern <Jochen.Bern@binect.de>:
>
>
> My - admittedly first ever - thoughts on that:
>
> -- Doesn't OpenSSH already parse the peer's Hello String for that
> purpose?
No as I know it that is only the software and version, not the os,

> -- (The possibility of SSH software other than the OS default being
> installed has already been mentioned)
> -- osf can also differ from defaults (own fingerprint files being
> loaded, --ttl param etc.)
Huh what do you mean Jochen? You know something about this software?

> -- Just because the kernel('s iptables implementation) has that info
> doesn't mean that ssh(d) can easily get it
No, but the creators/maintainers of the osf submodule of iptables had
probably other uses in mind
than only logging... So something like netlink? Not easy indeed.

> -- Not to forget non-Linux systems ...

Yes. It only works with iptables being present as far I can see.
Thanks for your thoughts.

Stef Bon
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 03.03.21 20:47, Stef Bon wrote:
> Op ma 22 feb. 2021 om 10:56 schreef Jochen Bern <Jochen.Bern@binect.de>:
>> My - admittedly first ever - thoughts on that:
>> -- Doesn't OpenSSH already parse the peer's Hello String for that
>> purpose?
> > No as I know it that is only the software and version, not the os,

Well, yes, because to "meet the peer's flaws and maybe bugs", as you put
it, ssh and sshd would need to be able to *do something about them*, and
what these pieces of software do is to handle the SSH protocol, not to
(random example) second-guess what the behavior of the peer's OS is WRT
reassembly of overlapping TCP fragments.

Or am I just not thinking of the same sort of "purely OS-level flaws and
bugs" as you are?

>> -- osf can also differ from defaults (own fingerprint files being
>> loaded, --ttl param etc.)
>
> Huh what do you mean Jochen? You know something about this software?

I had a look at my local iptables-extensions manpage, which offers me
three different --ttl levels to modify osf's behavior and strongly
suggests that I am to specify rules in terms of "genres" and other terms
*derived* from the actual fingerprint as per the local fingerprints file.

(I.e., when you look at a fingerprint in that file like:

> 32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine

then the strictly formatted *left* hand side corresponds to the actual
test result but the *right* hand side is what I can have the iptables
rules match; have someone edit the fingerprint file to introduce an
earlier match named "MumbleFoo stupid middleboxes" and you'll never see
a "Spirent" reported again.)

By the way, you might want to look at the upstream maintainers' CVS log

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os

for some choice comments, like with release 1.25. :-3

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH