OpenSSH_3.5 version string.
Damien Miller
djm at mindrot.org
Sun Mar 16 10:14:45 EST 2003
M.B.Gowrishankar wrote:
> Hi,
>
> We found that the OpenSSH server code sends it version string as
> "SSH-1.5_OpenSSH_3.5" to the client during the intial phases of
> connection establishment. Futher more some clients like telnet client
> displays this version string on error. Like for example if we typed
> "Telnet host <> port 22" on a solaris workstation, where the host is a
> machine which is running OpenSSH3.5 ssh server, then, we get the
> following version string displayed on the console by the telnet client :
> "SSH-1.5_OpenSSH_3.5"
>
> We don't desire to expose this version string or atleast the
> "OpenSSH_3.5" part of the version string to any client. We see this as a
> potential secure risk. Someone who comes to know the OpenSSH version
> that we use, might try to use that to his/her advantage to break the
> security.
Please read the mailing list archives, where this has been covered again and again and again.
Short answer: the version string stays.
-d
More information about the openssh-unix-dev
mailing list