Loganaden Velvindron
2019-Feb-20 07:01 UTC
[Bug 2971] New: Prevent OpenSSH from advertising its version number
Also, a lot of measurement/research on deployment of OpenSSH rely on version advertising for their statistics. It's going to be harder to know impact of deprecation of certain legacy features without statistics. I also agree with Mark here. On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb at juniper.net> wrote:> Nagesh writes: > > > Cyber security team has recommended to disable the OpenSSH software > > version advertising when the connection has been established. > > With respect, your cyber security team are foolish if they think that > obscurity of version will stop any bad actors from attempting to break > into OpenSSH in any way possible. The only folks hurt by supressing the > version advertising are the other implementations of the Secure Shell. > > Please DO NOT allow the supression of the OpenSSH version number. > > There are too just many cases where both OpenSSH interoperating with > itself as well as other SSH implementations have needed this version > number to properly deal with bugs in the code via negitations. > > This bug should be closed with WONTFIX. > > Thank you, > -- Mark > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Yegor Ievlev
2019-Feb-20 07:56 UTC
[Bug 2971] New: Prevent OpenSSH from advertising its version number
Another reason why this may be useful is prevention of fingerprinting of OpenSSH client by the server or an outside observer. On Wed, Feb 20, 2019 at 10:06 AM Loganaden Velvindron <loganaden at gmail.com> wrote:> > Also, a lot of measurement/research on deployment of OpenSSH rely on > version advertising for their statistics. It's going to be harder to know > impact of deprecation of certain legacy features without statistics. > > I also agree with Mark here. > > > > On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb at juniper.net> wrote: > > > Nagesh writes: > > > > > Cyber security team has recommended to disable the OpenSSH software > > > version advertising when the connection has been established. > > > > With respect, your cyber security team are foolish if they think that > > obscurity of version will stop any bad actors from attempting to break > > into OpenSSH in any way possible. The only folks hurt by supressing the > > version advertising are the other implementations of the Secure Shell. > > > > Please DO NOT allow the supression of the OpenSSH version number. > > > > There are too just many cases where both OpenSSH interoperating with > > itself as well as other SSH implementations have needed this version > > number to properly deal with bugs in the code via negitations. > > > > This bug should be closed with WONTFIX. > > > > Thank you, > > -- Mark > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Philipp Marek
2019-Feb-20 08:08 UTC
[Bug 2971] New: Prevent OpenSSH from advertising its version number
Please, people - removing the version number will break a lot of things, as compact checks get harder or impossible. If you really care that much -- remove that string from the sources, the binary, or provide a patch that makes the string configurable via sshd_config. Thank you.