openssh unix dev - Feb 2019 - [Bug 2971] New: Prevent OpenSSH from advertising its version number

https://bugzilla.mindrot.org/show_bug.cgi?id=2971

            Bug ID: 2971
           Summary: Prevent OpenSSH from advertising its version number
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: nagesh.k at in.abb.com

Created attachment 3244
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3244&action=edit
OpenSSH version captured from wireshark

Cyber security team has recommended to disable the OpenSSH software
version advertising when the connection has been established.

RFC 4253 Says : The software version part is used commonly for
interoperability and it is also not good idea to remove it.

OpenSSH software version advertising is part of the compiled code and
do not have configuration options to alter or suppress them.

You have to modify the below code and recompile the software. 

src/ssh/version.h

-- #define SSH_VERSION "OpenSSH_7.6"
++ #define SSH_VERSION " " // length should be > 0

It will be good if you provide that option in sshd configuration file.

Thanks & Regards,
Nagesh

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

Nagesh writes:
> Cyber security team has recommended to disable the OpenSSH software
> version advertising when the connection has been established.
With respect, your cyber security team are foolish if they think that
obscurity of version will stop any bad actors from attempting to break
into OpenSSH in any way possible. The only folks hurt by supressing the
version advertising are the other implementations of the Secure Shell.

Please DO NOT allow the supression of the OpenSSH version number.

There are too just many cases where both OpenSSH interoperating with
itself as well as other SSH implementations have needed this version
number to properly deal with bugs in the code via negitations.

This bug should be closed with WONTFIX.

       Thank you,
	-- Mark

Also, a lot of measurement/research on deployment of OpenSSH rely on
version advertising for their statistics. It's going to be harder to know
impact of deprecation of certain legacy features without statistics.

I also agree with Mark here.



On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb at juniper.net>
wrote:
> Nagesh writes:
>
> > Cyber security team has recommended to disable the OpenSSH software
> > version advertising when the connection has been established.
>
> With respect, your cyber security team are foolish if they think that
> obscurity of version will stop any bad actors from attempting to break
> into OpenSSH in any way possible. The only folks hurt by supressing the
> version advertising are the other implementations of the Secure Shell.
>
> Please DO NOT allow the supression of the OpenSSH version number.
>
> There are too just many cases where both OpenSSH interoperating with
> itself as well as other SSH implementations have needed this version
> number to properly deal with bugs in the code via negitations.
>
> This bug should be closed with WONTFIX.
>
>        Thank you,
>         -- Mark
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

On 02/20/2019 07:51 AM, Mark D. Baushke wrote:
> There are too just many cases where both OpenSSH interoperating with
> itself as well as other SSH implementations have needed this version
> number to properly deal with bugs in the code via negitations.
FWIW, and without dismissing the possibility of fingerprinting a server
in other ways, the fact that clients that *can* pass authentication have
a need to know the server's version number (and vice versa) does not
necessarily imply that that information needs to be passed in the
*public* part of the protocol ...

Regards,
-- 
Jochen Bern
Systemingenieur

www.binect.de
www.facebook.de/binect

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190220/7407b087/attachment-0001.p7s>

https://bugzilla.mindrot.org/show_bug.cgi?id=2971

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Sorry but there is zero chance we will offer this as an option. The
version number is used for a number of compatibility tweaks and bug
workarounds, so removing it would greatly hinder our ability to
interoperate and improve the protocol over time.

I'd also say that your security advise is bad: hiding the version
number doesn't prevent an attacker from attempting exploits and doesn't
even prevent the attacker from learning the version of software in use
(protocol fingerprinting).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2971

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.