Bug 120285 - RHEL3 U4: Modify OpenSSH Server to (optionally) respond with patch level
RHEL3 U4: Modify OpenSSH Server to (optionally) respond with patch level
Product: Feature Tracker
Classification: Retired
Component: RHEL3_U4 (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
IT_30618, IT_48092
Depends On:
Blocks: 132644
  Show dependency treegraph
Reported: 2004-04-07 11:50 EDT by Frank Hirtz
Modified: 2008-08-25 12:25 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-20 20:30:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch and spec file for change. (12.06 KB, application/octet-stream)
2004-04-07 11:52 EDT, Frank Hirtz
no flags Details

  None (edit)
Description Frank Hirtz 2004-04-07 11:50:09 EDT
<from client>
When audit scans boxes on our net, a ssh header gets returned with
SSH-1.99-OpenSSH_3.6.1p2 but needs to respond with SSH-1.99-OpenSSH_3.6.1p2-18
so that we don't have to manually look at every box each time to ensure compliance.



External links:

Priority (H,M,L):
M --with patch

Target Releases:
RHEL 2.1 U5, RHEL 3 U3

Target Release Date:
None specific

Drivers or hardware dependency:
Target Kernel:
Comment 2 Frank Hirtz 2004-04-07 11:52:38 EDT
Created attachment 99195 [details]
Patch and spec file for change.

Patch and spec file for change.
Comment 5 Mark J. Cox (Product Security) 2004-04-21 11:08:53 EDT
A version string of "SSH-1.99-OpenSSH_3.6.1p2-18" doesn't help you audit systems
across a hetrogeneous network - it only helps you if you know that you're
running patch level 18 on Red Hat Enterprise Linux 3 system.  So the patch would
need to include a Red Hat specific identifier, also tied to the product.   The
server would need to return something like "SSH-1.99-OpenSSH_3.6.1p2-rhel3-pl18"
in order for a remote scanner to be able to make a judgement based solely on the
version string of what backported security fixes were included.  
Comment 12 Robert Perkins 2004-05-12 16:03:38 EDT
Changing the summary to reflect we won't add this to 2.1.  Please open a new FZ
for RHEL4.
Comment 17 Robert Perkins 2004-08-06 15:05:53 EDT
But the patch in question did not report the upstream equivalent version, it was
a change that allowed (as an optional configuration) the openssh server to
report the Red Hat *release* version.

If openssh is configured using this optional flag, instead of returning
SSH-1.99-OpenSSH_3.6.1p2 when connected to, it would return
SSH-1.99-OpenSSH_3.6.1p2-33.30.1 and 33.30.1 is the RH release number, which
would be derived automatically during the build process. Looking up what 33.30.1
"means" WRT security patches would still be done the same way as before.

So, in essence this is *not* a request for OpenSSH to report "the upstream
equivalent," which appears to be the concept that was rejected. Rather, it is a
way of reporting the installed RH package version so that Red Hat will fit
seamlessly into BoA's environment/auditing scheme.

Here is the way things would work for BoA if the patch as submitted were

With this patch, BoA can tell the auditor:

"All machines that report SSH-1.99-OpenSSH_3.6.1p2-33.30.1 upon a connection to
port 22 are in compliance."

Here is how things work now. The auditor does the scan and then has to ask the

"All machines are reporting SSH-1.99-OpenSSH_3.6.1p2, what version of SSH is
actually installed on each system?"

Then an employee at BoA has to look up each host and provide a report to the
auditor for each machine showing it has the proper patch level. This takes time
and therefore costs them money for something they only see on Red Hat and which
is caused solely because of our packaging decision.

Since the auditors are not allowed access the boxes, solutions like Oval (a
project which seems stalled) or Tenable Security's  Nessus plugin
(http://www.tenablesecurity.com/pr16.html) are not going to work for them (both
of these solutions are intrusive, developmentally immature, and would require
their auditor to change the way they do business).

All they want is for Red Hat to integrate into their environment just like other
OSs do. So far, we are the only vendor they have run into this problem with and
form their perspective, we refuse to address their concern.

The fact is, this patch has little impact on Red Hat, but fixes a big issue for
a major customer (and possibly future customers).

As for the slippery slope argument, I don't think this is the case here. OpenSSH
is unique in that you cannot adjust the banner string reported when a connection
is opened to the server. Other services provide greater flexibility here; for
almost every service I can think of, I can come up with a work around regarding
banner strings.

For OpenSSH the two primary options are:

1> Report the equivalent upstream version (which seems to be the idea actually
rejected in the original feature request).
2> The proposed patch to (optionally) report the RH patch level.

Realistically we do not track upstream completely, so reporting equivalent
upstream version can lead to more problems and confusion. So I understand why
this concept was rejected.

Adding Red Hat release version to the version string is enough to provide
information for customers like BoA. It provides enough information for their
auditor to figure out what security patch level is present on systems being
scanned. So in that sense this patch works to remedy a problem we created.

As for the argument that this is not upstream, well this patch is not required
upstream because the version string is correct in the upstream version.

So, if the filtering question (as Christian suggests) is:

"[Have] we have broken something that was working before, save for our decision
to use backporting?"

The answer is yes.

So this patch would provide an option to offset the change in functionality we
"broke" through our packaging choice with little effort on Red Hat's part.

One final point, from BoA's perspective the current man-hour investment
necessary to clear machines that are deemed out of compliance by their auditor
cannot continue.

If we do not provide them with a solution to the server string issue, then they
will not use our version of OpenSSH and switch instead to a commercial product
called FSecure, and when any peers i the industry asks them why they made this
choice, they will not be telling them how great Red Hat is.

Thanks for your consideration in this matter.

Comment 19 Mark J. Cox (Product Security) 2004-08-09 10:24:16 EDT
But does this really only affect their use of OpenSSH?  I'd have thought if
their auditor is basing security decisions based on returned versions strings
that they'd also be having a problem with sendmail, Apache, mod_ssl, PHP,... and
so on? 

The auditor could solve this and simply insist on having the output of their
remote connection tool along with a locally generated "rpm -qa" list - that
would seem to me to be much more useful as they could then check to make sure
security issues in the underlying libraries and other services have been
addressed.  Example:

What if a flaw in the OpenSSL crypto library was found that could be exploited
via OpenSSH?  We'd fix the OpenSSL shared library but we wouldn't do an update
of OpenSSH.  OpenSSH *even with the proposed patch* would give no information to
help an auditor decide if it was remotely vulnerable to that issue, or not.  It
doesn't matter if the patch reports some upstream patch number or a Red Hat
revision number.  A local 'rpm -qa' list would help.
Comment 20 Marty Wesley 2004-08-09 18:57:48 EDT
Mark, I don't think the discussion is whether the customer is doing a full
security audit of the system.  For that matter, the SSH string doesn't tell the
customer whether there is a remote root exploit in the kernel.  The point is
that they have an established automated process for checking SSH version strings
remotely to verify a specific patch level and they can't do this with the way we
report version numbers today.  However, they can with the version numbers
reported by the upstream packages.  So there's no question that this isn't going
to be the complete security blanket for their systems, but it's something that
is needed by their security audit process.

And in reality, they don't need any specific version number, upstream or ours. 
All they need is a unique identifier for each SSH package that we build that
they can tie back to the actual binary.

And to ease the pain of carry a patch upstream, how about we just make the
following change to just the spec file?  The patch provided previously was coded
such that people who didn't want to see the extra information wouldn't.  The
change to the spec file below will mean there's no Red Hat only patch to carry:

mv version.h upstream_version.h
cat upstream_version.h | grep -v SSH_VERSION > version.h
echo "#define SSH_VERSION \""%{version}-%{release}"\"" >> version.h
Comment 21 Mark J. Cox (Product Security) 2004-08-10 03:57:32 EDT
That patch wouldn't work as it stands, many SSH clients rely on this version
string sent from the server in order to work around specific bugs - it would
have to be appended.  You'd also have to append something to explain the
distribution in use (or the auditor couldn't make a simple numerical comparison
from a range of vulnerable versions).

> they have an established automated process for checking SSH version strings
> remotely

Then their process is flawed - that process does nothing to help the auditor
determine if OpenSSH is or is not vulnerable to a given flaw that could affect
OpenSSH.  Could someone talk to BoA about the specific example of the library
issue in my previous comment and see what they say?  

(I've no objection from a security point of view to us adding optional
versioning information to the end of the SSH version strings, but at the moment
this seems like only benefit to one customer whose requirement is based on a
process that is flawed.)
Comment 22 Marty Wesley 2004-08-10 14:04:47 EDT
Customer has been told that Red Hat will not be changing this.
Comment 29 John Flanagan 2004-12-20 20:30:40 EST
An advisory has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.