[Bug 3862] Hide ssh(d) version
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Sep 9 14:22:17 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3862
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
As Darren said, the version string is an important compatibility
mechanism.
Conversely, hiding the version string provides no security benefit.
Attackers can fingerprint implementations quite easily and attempt
attacks blindly where they can't determine the peer's version. The
effect is the same.
Hiding the version is likely to be a security *cost* as it makes
finding outdated versions in one's own infrastructure significantly
more difficult.
For these reasons we won't be implementing this.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list