From sec@ice.42.org  Mon Dec  4 16:14:10 2000
Return-Path: <sec@ice.42.org>
Received: from ice.42.org (ice.42.org [194.246.250.222])
	by hub.freebsd.org (Postfix) with ESMTP id 0273D37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  4 Dec 2000 16:14:10 -0800 (PST)
Received: by ice.42.org (Postfix, from userid 1000)
	id B834DF9; Tue,  5 Dec 2000 01:14:07 +0100 (CET)
Message-Id: <20001205001407.B834DF9@ice.42.org>
Date: Tue,  5 Dec 2000 01:14:07 +0100 (CET)
From: sec@ice.42.org
Reply-To: sec@ice.42.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: openssh is too verbose
X-Send-Pr-Version: 3.2

>Number:         23286
>Category:       bin
>Synopsis:       openssh is too verbose
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 04 16:20:00 PST 2000
>Closed-Date:    Mon Feb 19 13:52:55 PST 2001
>Last-Modified:  Mon Feb 19 13:55:45 PST 2001
>Originator:     Stefan `Sec` Zehl
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
>Environment:

	

>Description:

The ssh binary in the FreeBSD base distribution is too verbose.
When ssh'ing to an host running an old ssh version it outputs:

| Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024.
| Warning: This may be due to an old implementation of ssh.

This has several problems:
- It is not possible to disable this without disabling ALL warnings.
  Disabling ALL warnings is obviously not a good idea for security related
  products
- It outputs this even in non-interactive mode, so I'm forced to modify
  automatic scrips to cater for this behaviour. This way the FreeBSD-4.x
  ssh is gratitously incompatible to older versions.
- If users get exposed to meaningless warnings they quickly learn to ignore
  warnings. This is obviosly a bad idea, as we want them to notice in case
  there is somthing we really need to warn the user about.

>How-To-Repeat:

ssh to an host with an old keysize length.

>Fix:

Cater explicitly for the 'one-bit-defference' case, and remove that now
meaningless 'This may be due to an old implementation' line.

--- /usr/src/crypto/openssh/sshconnect1.c.orig	Tue Dec  5 00:44:27 2000
+++ /usr/src/crypto/openssh/sshconnect1.c	Tue Dec  5 00:44:27 2000
@@ -744,9 +744,9 @@
 
 	rbits = BN_num_bits(host_key->n);
 	if (bits != rbits) {
+		if (rbits+1 != bits)
 		log("Warning: Server lies about size of server host key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
-		log("Warning: This may be due to an old implementation of ssh.");
 	}
 
 	/* Get protocol flags. */
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Thu Dec 7 23:41:14 PST 2000 
Responsible-Changed-Why:  

Green is Mr. ssh 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23286 
State-Changed-From-To: open->closed 
State-Changed-By: green 
State-Changed-When: Mon Feb 19 13:52:55 PST 2001 
State-Changed-Why:  
This is an accurate warning, so I really think it should stay.  You're 
free to keep the change locally if it bugs you, of course, but it's 
useful to have the warning to know when we're dealing with a buggy 
server.  Thanks for submitting. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=23286 
>Unformatted:
