OpenSSH_3.5 version string.

M.B.Gowrishankar bgowrish at riverstonenet.com
Sun Mar 16 07:10:47 EST 2003


Hi,

We found that the OpenSSH server code sends it version string as
"SSH-1.5_OpenSSH_3.5" to the client during the intial phases of
connection establishment. Futher more some clients like telnet client
displays this version string on error. Like for example if we typed
"Telnet host <> port 22" on a solaris workstation, where the host is a
machine which is running OpenSSH3.5 ssh server, then, we get the
following version string displayed on the console by the telnet client :
"SSH-1.5_OpenSSH_3.5"

We don't desire to expose this version string or atleast the
"OpenSSH_3.5" part of the version string to any client. We see this as a
potential secure risk. Someone who comes to know the OpenSSH version
that we use, might try to use that to his/her advantage to break the
security.

But the OpenSSH code seems to rely upon this version string. Besides,
removing the "OpenSSH_3.5" from the version string in the server code
seems to cause connectivity problems to certain client like ssh
communication for protocol 2.

Is there a way out if we desire not to send the OpenSSH_3.5 version to
the client in the server code ? Any pointers will be greatly
appreciated.

thanks
Gowri








More information about the openssh-unix-dev mailing list