Hide version information -- patch attached

Mark Semmler openssh_nospam_ at secrisk.de
Fri Jul 11 21:22:44 EST 2003


Hello programmers, hello maintainers!

Like most of the old smtp servers (e.g. sendmail), ssh servers makes it
pretty easy for an attacker to get the name of the software and its version:

 > badboy:~ > telnet niceboy 22
 > Trying a.b.c.d...
 > Connected to localhost.
 > Escape character is '^]'.
 > SSH-2.0-OpenSSH_3.6.1p2
 > ^]
 > telnet> close
 > Connection closed.

I am not a friend of "security through obscurity", but I think each
administrator should have the choice to decide, wether this sensitive
information should be freely available or not. So I wrote a small patch
(see attached file).

The patch introduces the new parameter "WelcomeFile" to the
configuration file. Only if this parameter points to a valid file,
openssh reads a welcome message up to 128 characters out of it and
displays it at the identfication exchange, e.g.:

 > badboy:~ > telnet niceboy 22
 > Trying a.b.c.d...
 > Connected to localhost.
 > Escape character is '^]'.
 > SSH-2.0-Why should I tell you?
 > ^]
 > telnet> close
 > Connection closed.

If WelcomeFile is not set or if some error occurs while try to read the
file, the good old SSH_VERSION is printed out.

If you - dear maintainers - think this is worth to complete it, please
let me know. I'll will write then some docu and/or change some things as
you think it's best.



Greetings


Mark

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch-mse
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030711/61e0aef2/attachment.ksh 


More information about the openssh-unix-dev mailing list