[Bug 2971] New: Prevent OpenSSH from advertising its version number
loganaden at gmail.com
Wed Feb 20 18:01:29 AEDT 2019
Also, a lot of measurement/research on deployment of OpenSSH rely on
version advertising for their statistics. It's going to be harder to know
impact of deprecation of certain legacy features without statistics.
I also agree with Mark here.
On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb at juniper.net> wrote:
> Nagesh writes:
> > Cyber security team has recommended to disable the OpenSSH software
> > version advertising when the connection has been established.
> With respect, your cyber security team are foolish if they think that
> obscurity of version will stop any bad actors from attempting to break
> into OpenSSH in any way possible. The only folks hurt by supressing the
> version advertising are the other implementations of the Secure Shell.
> Please DO NOT allow the supression of the OpenSSH version number.
> There are too just many cases where both OpenSSH interoperating with
> itself as well as other SSH implementations have needed this version
> number to properly deal with bugs in the code via negitations.
> This bug should be closed with WONTFIX.
> Thank you,
> -- Mark
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev