[Bug 2971] Prevent OpenSSH from advertising its version number

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Feb 21 09:19:51 AEDT 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2971

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Sorry but there is zero chance we will offer this as an option. The
version number is used for a number of compatibility tweaks and bug
workarounds, so removing it would greatly hinder our ability to
interoperate and improve the protocol over time.

I'd also say that your security advise is bad: hiding the version
number doesn't prevent an attacker from attempting exploits and doesn't
even prevent the attacker from learning the version of software in use
(protocol fingerprinting).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list