Hi, We found that the OpenSSH server code sends it version string as "SSH-1.5_OpenSSH_3.5" to the client during the intial phases of connection establishment. Futher more some clients like telnet client displays this version string on error. Like for example if we typed "Telnet host <> port 22" on a solaris workstation, where the host is a machine which is running OpenSSH3.5 ssh server, then, we get the following version string displayed on the console by the telnet client : "SSH-1.5_OpenSSH_3.5" We don't desire to expose this version string or atleast the "OpenSSH_3.5" part of the version string to any client. We see this as a potential secure risk. Someone who comes to know the OpenSSH version that we use, might try to use that to his/her advantage to break the security. But the OpenSSH code seems to rely upon this version string. Besides, removing the "OpenSSH_3.5" from the version string in the server code seems to cause connectivity problems to certain client like ssh communication for protocol 2. Is there a way out if we desire not to send the OpenSSH_3.5 version to the client in the server code ? Any pointers will be greatly appreciated. thanks Gowri
M.B.Gowrishankar wrote:> Hi, > > We found that the OpenSSH server code sends it version string as > "SSH-1.5_OpenSSH_3.5" to the client during the intial phases of > connection establishment. Futher more some clients like telnet client > displays this version string on error. Like for example if we typed > "Telnet host <> port 22" on a solaris workstation, where the host is a > machine which is running OpenSSH3.5 ssh server, then, we get the > following version string displayed on the console by the telnet client : > "SSH-1.5_OpenSSH_3.5" > > We don't desire to expose this version string or atleast the > "OpenSSH_3.5" part of the version string to any client. We see this as a > potential secure risk. Someone who comes to know the OpenSSH version > that we use, might try to use that to his/her advantage to break the > security.Please read the mailing list archives, where this has been covered again and again and again. Short answer: the version string stays. -d
Apparently Analagous Threads
- Problem with Openssh3.5
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- Re: unable to dissect libvirt rpc packets using wireshark plugin
- unable to dissect libvirt rpc packets using wireshark plugin
- Problems with PAM and PermitRootLogin without-password