bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-20 02:22 UTC
[Bug 2971] New: Prevent OpenSSH from advertising its version number
https://bugzilla.mindrot.org/show_bug.cgi?id=2971 Bug ID: 2971 Summary: Prevent OpenSSH from advertising its version number Product: Portable OpenSSH Version: 7.6p1 Hardware: All OS: Linux Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: nagesh.k at in.abb.com Created attachment 3244 --> https://bugzilla.mindrot.org/attachment.cgi?id=3244&action=edit OpenSSH version captured from wireshark Cyber security team has recommended to disable the OpenSSH software version advertising when the connection has been established. RFC 4253 Says : The software version part is used commonly for interoperability and it is also not good idea to remove it. OpenSSH software version advertising is part of the compiled code and do not have configuration options to alter or suppress them. You have to modify the below code and recompile the software. src/ssh/version.h -- #define SSH_VERSION "OpenSSH_7.6" ++ #define SSH_VERSION " " // length should be > 0 It will be good if you provide that option in sshd configuration file. Thanks & Regards, Nagesh -- You are receiving this mail because: You are watching the assignee of the bug.
Mark D. Baushke
2019-Feb-20 06:51 UTC
[Bug 2971] New: Prevent OpenSSH from advertising its version number
Nagesh writes:> Cyber security team has recommended to disable the OpenSSH software > version advertising when the connection has been established.With respect, your cyber security team are foolish if they think that obscurity of version will stop any bad actors from attempting to break into OpenSSH in any way possible. The only folks hurt by supressing the version advertising are the other implementations of the Secure Shell. Please DO NOT allow the supression of the OpenSSH version number. There are too just many cases where both OpenSSH interoperating with itself as well as other SSH implementations have needed this version number to properly deal with bugs in the code via negitations. This bug should be closed with WONTFIX. Thank you, -- Mark
Loganaden Velvindron
2019-Feb-20 07:01 UTC
[Bug 2971] New: Prevent OpenSSH from advertising its version number
Also, a lot of measurement/research on deployment of OpenSSH rely on version advertising for their statistics. It's going to be harder to know impact of deprecation of certain legacy features without statistics. I also agree with Mark here. On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb at juniper.net> wrote:> Nagesh writes: > > > Cyber security team has recommended to disable the OpenSSH software > > version advertising when the connection has been established. > > With respect, your cyber security team are foolish if they think that > obscurity of version will stop any bad actors from attempting to break > into OpenSSH in any way possible. The only folks hurt by supressing the > version advertising are the other implementations of the Secure Shell. > > Please DO NOT allow the supression of the OpenSSH version number. > > There are too just many cases where both OpenSSH interoperating with > itself as well as other SSH implementations have needed this version > number to properly deal with bugs in the code via negitations. > > This bug should be closed with WONTFIX. > > Thank you, > -- Mark > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Jochen Bern
2019-Feb-20 10:59 UTC
[Bug 2971] New: Prevent OpenSSH from advertising its version number
On 02/20/2019 07:51 AM, Mark D. Baushke wrote:> There are too just many cases where both OpenSSH interoperating with > itself as well as other SSH implementations have needed this version > number to properly deal with bugs in the code via negitations.FWIW, and without dismissing the possibility of fingerprinting a server in other ways, the fact that clients that *can* pass authentication have a need to know the server's version number (and vice versa) does not necessarily imply that that information needs to be passed in the *public* part of the protocol ... Regards, -- Jochen Bern Systemingenieur www.binect.de www.facebook.de/binect -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190220/7407b087/attachment-0001.p7s>
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-20 22:19 UTC
[Bug 2971] Prevent OpenSSH from advertising its version number
https://bugzilla.mindrot.org/show_bug.cgi?id=2971 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #1 from Damien Miller <djm at mindrot.org> --- Sorry but there is zero chance we will offer this as an option. The version number is used for a number of compatibility tweaks and bug workarounds, so removing it would greatly hinder our ability to interoperate and improve the protocol over time. I'd also say that your security advise is bad: hiding the version number doesn't prevent an attacker from attempting exploits and doesn't even prevent the attacker from learning the version of software in use (protocol fingerprinting). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:53 UTC
[Bug 2971] Prevent OpenSSH from advertising its version number
https://bugzilla.mindrot.org/show_bug.cgi?id=2971 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.